SAML SSO for GlobalProtect on Chromebooks
The GlobalProtect app for Chromebooks now supports SAML single sign-on.
Software Support: Starting with GlobalProtect™ App 4.1 and with PAN-OS® 8.0 and later releases
OS Support: Chrome OS 45 and later releases
The GlobalProtect app for Chromebooks (Chrome OS) now supports Security Assertion Markup Language (SAML) single sign-on (SSO). If you configure SAML as the authentication standard for Chromebooks, end users authenticate to GlobalProtect by leveraging the same login they use to access their Chromebook applications. This feature enables end users to connect to GlobalProtect automatically without having to re-enter their credentials on the GlobalProtect app.
In this implementation, Google acts as the SAML service provider while the GlobalProtect app authenticates users directly to their organization’s SAML identity provider.
GlobalProtect currently supports only the
PostSAML HTTP binding method.
To use SAML SSO for Chrome applications, end users must install the
SAML SSO for Chrome AppsGoogle extension on their Chromebooks. This extension allows users to access multiple Chrome applications during a single login session by sending the user’s SAML SSO cookies to all applications that are whitelisted by an administrator.
Use the following steps to configure SAML SSO for Chrome applications:
- Set up SAML authentication for GlobalProtect.
- Create a server profile with settings for access to the SAML authentication service.
- Create an authentication profile that refers to the SAML server profile.
- Specify a SAML authentication profile for Chrome gateway users.
- On theAuthenticationtab of the GlobalProtect gateway configuration, select a SAMLAuthentication Profileor create a new SAML profile for the gateway. This profile is used to authenticate endpoints seeking access to the gateway.
- (Optional) Select aCertificate Profilefor client gateway authentication. The client certificate must be pre-deployed or deployed using the Simple Certificate Enrollment Protocol (SCEP).
- Define the GlobalProtect client authentication configurations on the GlobalProtect portal.
- Specify a SAML authentication profile for the portal.
- On theAuthenticationtab of the GlobalProtect portal configuration, select a SAMLAuthentication Profileor create a new SAML profile for the portal. This profile is used to authenticate endpoints seeking access to the portal.
- (Optional) Select aCertificate Profilefor client portal authentication. A valid client certificate must be pre-deployed on all Chromebooks if you configure theCertificate Profile.
- Install theSAML SSO for Chrome Appsextension from Google. This extension enables SAML SSO for Chrome applications.Launch the ChromeWeb Storeand install theSAML SSO for Chrome Appsextension.
- For GlobalProtect to support SAML SSO, you must add the GlobalProtect application ID (nicidmbokaedpmoegdbcebhnchpegcdc) to the whitelist in theSAML SSO for Chrome Appsextension configuration file.