>
    External Authentication
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. Authentication
    4. About GlobalProtect User Authentication
    5. Supported GlobalProtect Authentication Methods
    6. External Authentication
    Download PDF
    GlobalProtect

    External Authentication

    Table of Contents
    End-of-Life (EoL)

    External Authentication

    User authentication functions are performed by external LDAP, Kerberos, TACACS+, SAML, or RADIUS services (including support for two-factor, token-based authentication mechanisms, such as one-time password (OTP) authentication). To enable external authentication:
    • Create a server profile with settings for access to the external authentication service.
    • Create an authentication profile that refers to the server profile.
    • Specify client authentication in the portal and gateway configurations and optionally specify the OS of the endpoint that will use these settings.
    You can use different authentication profiles for each GlobalProtect component. See Set Up External Authentication for instructions. See Remote Access VPN (Authentication Profile) for an example configuration.
    If you configure the portal or gateway to authenticate users through SAML authentication, users running GlobalProtect app 4.1.8 or an earlier release will not have the option to Sign Out of the app if you disable single logout (SLO). Users running GlobalProtect app 4.1.9 or a later release will have the option to Sign Out of the app regardless of whether SLO is enabled or disabled.
    If you configure the portal or gateway to authenticate users through Kerberos authentication, users will not have the option to Sign Out of the GlobalProtect app if they authenticate successfully using this authentication method.
    If you do not allow the GlobalProtect app to Save User Credentials (NetworkGlobalProtectPortals<portal-config>Agent<agent-config>Authentication), users will not have the option to Sign Out of the app if they authenticate successfully using LDAP, TACACS+, or RADIUS authentication.

    © 2024 Palo Alto Networks, Inc. All rights reserved.