GlobalProtect
SAML Authentication with Cloud Authentication Service
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
10.1 & Later
- 10.1 & Later
- 9.1 (EoL)
-
- How Does the App Know Which Certificate to Supply?
- Set Up Cloud Identity Engine Authentication
- Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications
- Enable Delivery of VSAs to a RADIUS Server
- Enable Group Mapping
-
-
- GlobalProtect App Minimum Hardware Requirements
- Download the GlobalProtect App Software Package for Hosting on the Portal
- Host App Updates on the Portal
- Host App Updates on a Web Server
- Test the App Installation
- Download and Install the GlobalProtect Mobile App
- View and Collect GlobalProtect App Logs
-
-
- Deploy App Settings in the Windows Registry
- Deploy App Settings from Msiexec
- Deploy Scripts Using the Windows Registry
- Deploy Scripts Using Msiexec
- Deploy Connect Before Logon Settings in the Windows Registry
- Deploy GlobalProtect Credential Provider Settings in the Windows Registry
- SSO Wrapping for Third-Party Credential Providers on Windows Endpoints
- Enable SSO Wrapping for Third-Party Credentials with the Windows Registry
- Enable SSO Wrapping for Third-Party Credentials with the Windows Installer
- Deploy App Settings to Linux Endpoints
- GlobalProtect Processes to be Whitelisted on EDR Deployments
-
-
- Mobile Device Management Overview
- Set Up the MDM Integration With GlobalProtect
- Qualified MDM Vendors
-
-
- Set Up the Microsoft Intune Environment for Android Endpoints
- Deploy the GlobalProtect App on Android Endpoints Using Microsoft Intune
- Create an App Configuration on Android Endpoints Using Microsoft Intune
- Configure Lockdown Mode for Always On Connect Method on Android Endpoints Using Microsoft Intune
-
- Deploy the GlobalProtect Mobile App Using Microsoft Intune
- Configure an Always On VPN Configuration for iOS Endpoints Using Microsoft Intune
- Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using Microsoft Intune
- Configure a Per-App VPN Configuration for iOS Endpoints Using Microsoft Intune
-
-
-
- Create a Smart Computer Group for GlobalProtect App Deployment
- Create a Single Configuration Profile for the GlobalProtect App for macOS
- Deploy the GlobalProtect Mobile App for macOS Using Jamf Pro
-
- Enable GlobalProtect System Extensions on macOS Endpoints Using Jamf Pro
- Enable GlobalProtect Network Extensions on macOS Big Sur Endpoints Using Jamf Pro
- Add a Configuration Profile for the GlobalProtect Enforcer by Using Jamf Pro 10.26.0
- Verify Configuration Profiles Deployed by Jamf Pro
- Remove System Extensions on macOS Monterey Endpoints Using Jamf Pro
- Non-Removable System Extensions on macOS Sequoia Endpoints Using Jamf Pro
- Uninstall the GlobalProtect Mobile App Using Jamf Pro
-
- Configure HIP-Based Policy Enforcement
- Configure HIP Exceptions for Patch Management
- Collect Application and Process Data From Endpoints
- Redistribute HIP Reports
-
- Identification and Quarantine of Compromised Devices Overview and License Requirements
- View Quarantined Device Information
- Manually Add and Delete Devices From the Quarantine List
- Automatically Quarantine a Device
- Use GlobalProtect and Security Policies to Block Access to Quarantined Devices
- Redistribute Device Quarantine Information from Panorama
- Troubleshoot HIP Issues
-
-
- Enable and Verify FIPS-CC Mode on Windows Endpoints
- Enable and Verify FIPS-CC Mode on macOS Endpoints
- Enable and Verify FIPS-CC Mode Using Workspace ONE on iOS Endpoints
- Enable FIPS Mode on Linux EndPoints with Ubuntu or RHEL
- Enable and Verify FIPS-CC Mode Using Microsoft Intune on Android Endpoints
- FIPS-CC Security Functions
- Resolve FIPS-CC Mode Issues
-
-
- Remote Access VPN (Authentication Profile)
- Remote Access VPN (Certificate Profile)
- Remote Access VPN with Two-Factor Authentication
- GlobalProtect Always On VPN Configuration
- Remote Access VPN with Pre-Logon
- User-Initiated Pre-Logon Connection
- GlobalProtect Multiple Gateway Configuration
- GlobalProtect for Internal HIP Checking and User-Based Access
- Mixed Internal and External Gateway Configuration
- Captive Portal and Enforce GlobalProtect for Network Access
- GlobalProtect on Windows 365 Cloud PC
-
- About GlobalProtect Cipher Selection
- Cipher Exchange Between the GlobalProtect App and Gateway
-
- Reference: GlobalProtect App Cryptographic Functions
-
- Reference: TLS Ciphers Supported by GlobalProtect Apps on macOS Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Android 6.0.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on iOS 10.2.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Chromebooks
- Ciphers Used to Set Up IPsec Tunnels
- SSL APIs
-
- View a Graphical Display of GlobalProtect User Activity in PAN-OS
- View All GlobalProtect Logs on a Dedicated Page in PAN-OS
- Event Descriptions for the GlobalProtect Logs in PAN-OS
- Filter GlobalProtect Logs for Gateway Latency in PAN-OS
- Restrict Access to GlobalProtect Logs in PAN-OS
- Forward GlobalProtect Logs to an External Service in PAN-OS
- Configure Custom Reports for GlobalProtect in PAN-OS
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
-
- Download and Install the GlobalProtect App for Windows
- Use Connect Before Logon
- Use Single Sign-On for Smart Card Authentication
- Use the GlobalProtect App for Windows
- Report an Issue From the GlobalProtect App for Windows
- Disconnect the GlobalProtect App for Windows
- Uninstall the GlobalProtect App for Windows
- Fix a Microsoft Installer Conflict
-
- Download and Install the GlobalProtect App for macOS
- Use the GlobalProtect App for macOS
- Report an Issue From the GlobalProtect App for macOS
- Disconnect the GlobalProtect App for macOS
- Uninstall the GlobalProtect App for macOS
- Remove the GlobalProtect Enforcer Kernel Extension
- Enable the GlobalProtect App for macOS to Use Client Certificates for Authentication
-
6.0
- 6.1
- 6.0
- 5.1
-
- Redesigned GlobalProtect App User Interface for Windows and macOS
- Endpoint Traffic Policy Enforcement
- Improved Connectivity Experience for the GlobalProtect App for Android and iOS
- Security Policy Enforcement for Inactive GlobalProtect Sessions
- Single Sign-On (SSO) Using Smart Card Authentication
- Delivery Optimization Support for Windows
- Improved Authentication Experience for the GlobalProtect App for Windows and macOS
- SAML Authentication with Cloud Authentication Service
- No Direct Access to Local Network Support for Linux
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
SAML Authentication with Cloud Authentication Service
Learn how to set up SAML authentication for GlobalProtect
users using the Cloud Authentication Service.
Software Support: Starting with GlobalProtect™
app 6.0 and running PAN-OS 10.1.0 release
OS Support:
Linux (XML file changes), Windows (requires Windows Installer [Msiexec]
setting changes), macOS (requires property lists [plists] changes),
iOS (requires MDM setting changes), and Android (requires MDM setting
changes)
Browser Support: Windows (Chrome, Edge, Internet
Explorer, and Firefox), macOS (Safari, Chrome, and Firefox), Android
(Chrome), iOS (Safari), and Linux (Firefox and Chrome). You must
use the default system browser with
this feature; the embedded browser is not supported.
If you
have configured the GlobalProtect portal to authenticate end users
through Security Assertion Markup Language (SAML) authentication,
you can now integrate the Cloud Authentication Service as a cloud-based service
to allow end users to connect to the GlobalProtect app using SAML-based
Identity Providers (IdPs) such as Onelogin or Okta without having
them to re-enter their credentials, for a seamless single sign-on
(SSO) experience. End users can benefit from using the default system
browser for SAML authentication with the Cloud Authentication Service
because they can leverage the same login for GlobalProtect with
their saved user credentials on the default system browser such
as Chrome, Firefox, or Safari.
If the Enforcer status
is enabled, you must configure exclusions for the URLs that contain
IP addresses or fully qualified domain names of the configured SAML
IdPs for the portal and gateway by entering them to Allow
traffic to specified FQDN when Enforce GlobalProtect Connection
for Network Access is enabled and GlobalProtect Connection is not
established as an app setting in the App
Configurations area of the GlobalProtect portal.
When
the end user attempts to authenticate, the authentication request
redirects to the Cloud Authentication Service, which redirects the
request to the IdP. After the IdP authenticates the end user, the
firewall maps the user and applies the security policy.
By
using a cloud-based solution, you can reallocate the resources required
for authentication from the firewall or Panorama to the cloud. The
Cloud Authentication Service also enables you to configure the authentication source
once instead of for each authentication method, such as GlobalProtect
authentication.
- Follow the instructions to use the default system browser for SAML authentication.
- Prepare to deploy the Cloud Authentication Service.
- If you have not already done so, install the device certificate for your firewall or Panorama.
- If you have not already done so, activate the Cloud Identity Engine app.
- Configure an IdP for the Cloud Identity Engine for user authentication.
- Configure an Authentication profile to use the Cloud Authentication Service.
- Configure an Authentication policy that uses this Authentication profile.
- Assign the authentication profile to the portal and/or
gateway.You can add the authentication profile to the portal or gateway configuration. For details on setting up these components, see GlobalProtect Portals and GlobalProtect Gateways.
- Select NetworkGlobalProtectPortals or Gateways.
- Select an existing portal or gateway configuration or Add a new one.
- Select an existing Client Authentication configuration or Add a new one.
- Select the Authentication Profile that you configured to use the Cloud Authentication Service.
- Click OK to save the configuration.
- Verify end users can successfully authenticate to the
ldP using their saved credentials, and that the access request redirects
to the Cloud Authentication Service.
- Select Refresh Connection, Connect,
or Enable on the GlobalProtect app to initiate
the connection.A new tab on the default browser of the system will open for SAML authentication.
- Login using the username and password to authenticate
on the ldP. For example:
- After end users can successfully authenticate on the
ldP, launch the GlobalProtect app from the dialog on the default
system browser.End users can save their user preference settings on the default system browser to always open the URL with the associated GlobalProtect app so that the app will automatically open for the URLs or portals and gateways.
- Connect to the GlobalProtect app or other SAML-enabled
applications without re-entering the user credentials. If you enabled GlobalProtect Clientless VPN access, the applications page opens and end users can see the list of web applications that they can launch without re-entering their credentials.
- Select Refresh Connection, Connect,
or Enable on the GlobalProtect app to initiate
the connection.