End-of-Life (EoL)

Set Up SAML Authentication

Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider (IdP) and a service provider. SAML is a product of the OASIS Security Services Technical Committee.
  1. Create a server profile.
    The server profile identifies the external authentication service and instructs the firewall how to connect to that authentication service and access the authentication credentials for your users.
    1. Select
      Server Profiles
      and select the
      SAML Identity Provider
    2. Click
      and enter a Profile
      , such as GP-User-Auth.
    3. If this profile is for a firewall with multiple virtual systems capability, select a virtual system or
      as the Location where the profile is available.
    4. Import
      the IdP metadata file. Refer to SAML 2.0 Authentication for details.
      Alternatively, if the IdP doesn’t provide a metadata file,
      the server profile and then enter the connection and registration information.
    5. Click
      to save the server profile.
  2. (
    ) Create an authentication profile.
    The authentication profile specifies the server profile for the portal or gateways to use when they authenticate users. On a portal or gateway, you can assign one or more authentication profiles in one or more client authentication profiles. For descriptions of how an authentication profile within a client authentication profile supports granular user authentication, see Configure a GlobalProtect Gateway and Set Up Access to the GlobalProtect Portal.
    SAML authentication supports the pre-logon connect method that enables users to connect and change their own expired passwords without administrative intervention (Remote Access VPN with Pre-Logon) with GlobalProtect app 5.0 and later releases.
    1. Select
      Authentication Profile
      a new profile.
    2. Enter a
      for the profile and then select
      as the authentication
    3. Select the SAML authentication
      Server Profile
      that you created in Step 1 from the drop-down.
    4. Select the following to configure certificate authentication between the firewall and the SAML identity provider. Refer to SAML 2.0 Authentication for details.
      • The
        Request Signing Certificate
        that the firewall uses to sign messages it sends to the IdP.
      • The
        Certificate Profile
        that the firewall uses to validate the
        Identity Provider Certificate
    5. Specify the username and admin role formats.
      • Specify the
        Username Attribute
        User Group Attribute
      Unlike other types of external authentication, there is no
      User Domain
      attribute in the authentication profiles for SAML.
      • (
        ) If you will use this profile to authenticate administrative accounts that you manage in the IdP identity store, specify the
        Admin Role Attribute
        Access Domain Attribute
    6. Select the
    7. In the Allow List,
      and then select the users and groups that are allowed to authenticate with this profile. Selecting the predefined
      option allows every user to authenticate. By default, the list has no entries, which means no users can authenticate.
      Make sure the username in the Allow List matches the username returned from the SAML IdP server.
    8. Click
  3. Commit the configuration.

Recommended For You