Set Up SAML Authentication
Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider (IdP) and a service provider. SAML is a product of the OASIS Security Services Technical Committee.
- Create a server profile.The server profile identifies the external authentication service and instructs the firewall how to connect to that authentication service and access the authentication credentials for your users.
- Selectand select theDeviceServer ProfilesSAML Identity Providerprofile.
- ClickAddand enter a ProfileName, such as GP-User-Auth.
- If this profile is for a firewall with multiple virtual systems capability, select a virtual system orSharedas the Location where the profile is available.
- Importthe IdP metadata file. Refer to SAML 2.0 Authentication for details.Alternatively, if the IdP doesn’t provide a metadata file,Addthe server profile and then enter the connection and registration information.
- ClickOKto save the server profile.
- (Optional) Create an authentication profile.The authentication profile specifies the server profile for the portal or gateways to use when they authenticate users. On a portal or gateway, you can assign one or more authentication profiles in one or moreclient authenticationprofiles. For descriptions of how an authentication profile within a client authentication profile supports granular user authentication, see Configure a GlobalProtect Gateway and Set Up Access to the GlobalProtect Portal.SAML authentication supports the pre-logon connect method that enables users to connect and change their own expired passwords without administrative intervention (Remote Access VPN with Pre-Logon) with GlobalProtect app 5.0 and later releases.
- SelectandDeviceAuthentication ProfileAdda new profile.
- Enter aNamefor the profile and then selectSAMLas the authenticationType.
- Select the SAML authenticationServer Profilethat you created in Step 1 from the drop-down.
- Select the following to configure certificate authentication between the firewall and the SAML identity provider. Refer to SAML 2.0 Authentication for details.
- TheRequest Signing Certificatethat the firewall uses to sign messages it sends to the IdP.
- TheCertificate Profilethat the firewall uses to validate theIdentity Provider Certificate.
- Specify the username and admin role formats.
Unlike other types of external authentication, there is noUser Domainattribute in the authentication profiles for SAML.
- Specify theUsername AttributeandUser Group Attribute.
- (Optional) If you will use this profile to authenticate administrative accounts that you manage in the IdP identity store, specify theAdmin Role AttributeandAccess Domain Attributealso.
- Select theAdvancedtab.
- In the Allow List,Addand then select the users and groups that are allowed to authenticate with this profile. Selecting the predefinedalloption allows every user to authenticate. By default, the list has no entries, which means no users can authenticate.Make sure the username in the Allow List matches the username returned from the SAML IdP server.
- Commit the configuration.ClickCommit.
Recommended For You
Recommended videos not found.