User authentication functions are performed by external
LDAP, Kerberos, TACACS+, SAML, or RADIUS services (including support
for two-factor, token-based authentication mechanisms, such as one-time
password (OTP) authentication). To enable external authentication:
Create a server profile with settings for access to the
external authentication service.
Create an authentication profile that refers to the server
profile.
Specify client authentication in the portal and gateway configurations
and optionally specify the OS of the endpoint that will use these settings.
If you configure the portal or gateway to authenticate
users through SAML authentication, users running GlobalProtect app
4.1.8 or an earlier release will not have the option to
Sign
Out
of the app if you disable single logout (SLO). Users
running GlobalProtect app 4.1.9 or a later release will have the
option to
Sign Out
of the app regardless
of whether SLO is enabled or disabled.
If you configure the
portal or gateway to authenticate users through Kerberos authentication,
users will not have the option to
Sign Out
of
the GlobalProtect app if they authenticate successfully using this
authentication method.
If you do not allow the GlobalProtect
app to
Save User Credentials
(
Network
GlobalProtect
Portals
<portal-config>
Agent
<agent-config>
Authentication
), users will
not have the option to
Sign Out
of the app
if they authenticate successfully using LDAP, TACACS+, or RADIUS
authentication.