Set Up SAML Authentication

Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider (IdP) and a service provider. SAML is a product of the OASIS Security Services Technical Committee.
  1. Create a server profile.
    The server profile identifies the external authentication service and instructs the firewall how to connect to that authentication service and access the authentication credentials for your users.
    1. Select DeviceServer Profiles and select the SAML Identity Provider profile.
    2. Click Add and enter a Profile Name, such as GP-User-Auth.
    3. If this profile is for a firewall with multiple virtual systems capability, select a virtual system or Shared as the Location where the profile is available.
    4. Import the IdP metadata file. Refer to SAML 2.0 Authentication for details.
      Alternatively, if the IdP doesn’t provide a metadata file, Add the server profile and then enter the connection and registration information.
    5. Click OK to save the server profile.
  2. (Optional) Create an authentication profile.
    The authentication profile specifies the server profile for the portal or gateways to use when they authenticate users. On a portal or gateway, you can assign one or more authentication profiles in one or more client authentication profiles. For descriptions of how an authentication profile within a client authentication profile supports granular user authentication, see Configure a GlobalProtect Gateway and Set Up Access to the GlobalProtect Portal.
    SAML authentication does not support the pre-logon connect method that enables users to connect and change their own expired passwords without administrative intervention (Remote Access VPN with Pre-Logon).
    1. Select DeviceAuthentication Profile and Add a new profile.
    2. Enter a Name for the profile and then select SAML as the authentication Type.
    3. Select the SAML authentication Server Profile that you created in 1 from the drop-down.
    4. Select the following to configure certificate authentication between the firewall and the SAML identity provider. Refer to SAML 2.0 Authentication for details.
      • The Request Signing Certificate that the firewall uses to sign messages it sends to the IdP.
      • The Certificate Profile that the firewall uses to validate the Identity Provider Certificate.
    5. Specify the username and admin role formats.
      • Specify the Username Attribute and User Group Attribute.
      Unlike other types of external authentication, there is no User Domain attribute in the authentication profiles for SAML.
      • (Optional) If you will use this profile to authenticate administrative accounts that you manage in the IdP identity store, specify the Admin Role Attribute and Access Domain Attribute also.
    6. Select the Advanced tab.
    7. In the Allow List, Add and then select the users and groups that are allowed to authenticate with this profile. Selecting the predefined all option allows every user to authenticate. By default, the list has no entries, which means no users can authenticate.
      Make sure the username in the Allow List matches the username returned from the SAML IdP server.
    8. Click OK.
  3. Commit the configuration.
    Click Commit.

Related Documentation