SAML SSO for GlobalProtect on Chromebooks

The GlobalProtect app for Chromebooks now supports SAML single sign-on.
Software Support
: Starting with GlobalProtect™ App 4.1 and with PAN-OS® 8.0 and later releases
OS Support
: Chrome OS 45 and later releases
The GlobalProtect app for Chromebooks (Chrome OS) now supports Security Assertion Markup Language (SAML) single sign-on (SSO). If you configure SAML as the authentication standard for Chromebooks, end users authenticate to GlobalProtect by leveraging the same login they use to access their Chromebook applications. This feature enables end users to connect to GlobalProtect automatically without having to re-enter their credentials on the GlobalProtect app.
In this implementation, Google acts as the SAML service provider while the GlobalProtect app authenticates users directly to their organization’s SAML identity provider.
GlobalProtect currently supports only the
Post
SAML HTTP binding method.
To use SAML SSO for Chrome applications, end users must install the
SAML SSO for Chrome Apps
Google extension on their Chromebooks. This extension allows users to access multiple Chrome applications during a single login session by sending the user’s SAML SSO cookies to all applications that are whitelisted by an administrator.
Use the following steps to configure SAML SSO for Chrome applications:
  1. Set up SAML authentication for GlobalProtect.
    • Create a server profile with settings for access to the SAML authentication service.
    • Create an authentication profile that refers to the SAML server profile.
    1. Specify a SAML authentication profile for Chrome gateway users.
      • On the
        Authentication
        tab of the GlobalProtect gateway configuration, select a SAML
        Authentication Profile
        or create a new SAML profile for the gateway. This profile is used to authenticate endpoints seeking access to the gateway.
    2. (
      Optional
      ) Select a
      Certificate Profile
      for client gateway authentication. The client certificate must be pre-deployed or deployed using the Simple Certificate Enrollment Protocol (SCEP).
    1. Specify a SAML authentication profile for the portal.
      • On the
        Authentication
        tab of the GlobalProtect portal configuration, select a SAML
        Authentication Profile
        or create a new SAML profile for the portal. This profile is used to authenticate endpoints seeking access to the portal.
    2. (
      Optional
      ) Select a
      Certificate Profile
      for client portal authentication. A valid client certificate must be pre-deployed on all Chromebooks if you configure the
      Certificate Profile
      .
  2. Install the
    SAML SSO for Chrome Apps
    extension from Google. This extension enables SAML SSO for Chrome applications.
    Launch the Chrome
    Web Store
    and install the
    SAML SSO for Chrome Apps
    extension.
    • For GlobalProtect to support SAML SSO, you must add the GlobalProtect application ID (
      nicidmbokaedpmoegdbcebhnchpegcdc
      ) to the whitelist in the
      SAML SSO for Chrome Apps
      extension configuration file.

Related Documentation