SAML Authentication with Cloud Authentication Service

Learn how to set up SAML authentication for GlobalProtect users using the Cloud Authentication Service.
Software Support
: Starting with GlobalProtect™ app 6.0 and running PAN-OS 10.1.0 release
OS Support
: Linux (XML file changes), Windows (requires Windows Installer [Msiexec] setting changes), macOS (requires property lists [plists] changes), iOS (requires MDM setting changes), and Android (requires MDM setting changes)
Browser Support
: Windows (Chrome, Edge, Internet Explorer, and Firefox), macOS (Safari, Chrome, and Firefox), Android (Chrome), iOS (Safari), and Linux (Firefox and Chrome). You must use the default system browser with this feature; the embedded browser is not supported.
If you have configured the GlobalProtect portal to authenticate end users through Security Assertion Markup Language (SAML) authentication, you can now integrate the Cloud Authentication Service as a cloud-based service to allow end users to connect to the GlobalProtect app using SAML-based Identity Providers (IdPs) such as Onelogin or Okta without having them to re-enter their credentials, for a seamless single sign-on (SSO) experience. End users can benefit from using the default system browser for SAML authentication with the Cloud Authentication Service because they can leverage the same login for GlobalProtect with their saved user credentials on the default system browser such as Chrome, Firefox, or Safari.
If the Enforcer status is enabled, you must configure exclusions for the URLs that contain IP addresses or fully qualified domain names of the configured SAML IdPs for the portal and gateway by entering them to
Allow traffic to specified FQDN when Enforce GlobalProtect Connection for Network Access is enabled and GlobalProtect Connection is not established
as an app setting in the
App Configurations
area of the GlobalProtect portal.
When the end user attempts to authenticate, the authentication request redirects to the Cloud Authentication Service, which redirects the request to the IdP. After the IdP authenticates the end user, the firewall maps the user and applies the security policy.
By using a cloud-based solution, you can reallocate the resources required for authentication from the firewall or Panorama to the cloud. The Cloud Authentication Service also enables you to configure the authentication source once instead of for each authentication method, such as GlobalProtect authentication.
  1. Prepare to deploy the Cloud Authentication Service.
    1. If you have not already done so, install the device certificate for your firewall or Panorama.
    2. If you have not already done so, activate the Cloud Identity Engine app.
  2. Configure an IdP for the Cloud Identity Engine for user authentication.
  3. Configure an Authentication profile to use the
    Cloud Authentication Service
  4. Configure an Authentication policy that uses this Authentication profile.
  5. Assign the authentication profile to the portal and/or gateway.
    You can add the authentication profile to the portal or gateway configuration. For details on setting up these components, see GlobalProtect Portals and GlobalProtect Gateways.
    1. Select
    2. Select an existing portal or gateway configuration or
      a new one.
    3. Select an existing Client Authentication configuration or
      a new one.
    4. Select the
      Authentication Profile
      that you configured to use the Cloud Authentication Service.
    5. Click
      to save the configuration.
  6. Verify end users can successfully authenticate to the ldP using their saved credentials, and that the access request redirects to the Cloud Authentication Service.
    1. Select
      Refresh Connection
      , or
      on the GlobalProtect app to initiate the connection.
      A new tab on the default browser of the system will open for SAML authentication.
    2. Login using the username and password to authenticate on the ldP. For example:
    3. After end users can successfully authenticate on the ldP, launch the GlobalProtect app from the dialog on the default system browser.
      End users can save their user preference settings on the default system browser to always open the URL with the associated GlobalProtect app so that the app will automatically open for the URLs or portals and gateways.
    4. Connect to the GlobalProtect app or other SAML-enabled applications without re-entering the user credentials.
      If you enabled GlobalProtect Clientless VPN access, the applications page opens and end users can see the list of web applications that they can launch without re-entering their credentials.

Recommended For You