Configure VPN Reverse Proxy for SaaS Security

You can use GlobalProtect cloud service to control access to your network from mobile users’ unsanctioned devices. This configuration uses the Aperture feature of SAML redirection by proxy instead of directly exposing the SaaS app or your network, removing all possible vulnerabilities to data exfiltration and malware propagation. Configuring this feature in Aperture and in GlobalProtect cloud service allows you to control unsanctioned and mobile user-owned device access to your network and redirects device traffic to GlobalProtect cloud service for inspection without putting your network or data at risk.
This feature requires the use of Palo Alto Networks Aperture integrated with a Secure Assertion Markup Language (SAML) provider.
The following example uses Okta as the SAML provider. Palo Alto Networks has tested this feature with Okta, ADFS, Azure AD, Ping One, and Shibboleth. Note that Office 365 with Azure AD as the IdP is currently not supported.
To configure this feature, complete the following task.
This task describes in detail the GlobalProtect cloud service-specific steps and provides only summary steps for the Aperture and Okta part of the configuration. For detailed steps to configure the app integration with Aperture and Okta, see Add Unsanctioned Device Access Control to Aperture in the Aperture Administrator’s Guide.
  1. Log in to Okta and create two apps:
    • Create one app for Aperture.
    • Create one app for the SaaS app that you want mobile users to access from their unsanctioned devices.
  2. Get the sign-in URL and certificate in Okta.
    You need the URL to direct users to sign in and use the app you created and you need the certificate to validate SAML signatures when using single sign-on (SSO).
  3. In Aperture, add Okta as an Identity Provider (IdP), using the URLs you received from Okta.
  4. Configure a service provider in Aperture.
  5. Make a note of the Gateway Settings and download the Identity Provider Certificate in Aperture.
    1. In Aperture, select SettingsUnmanaged Device Access ControlSAML Proxy.
    2. In the Identity Provider Settings area, select ActionsEdit.
    3. Download and save the Identity Provider Certificate.
    4. Make a note of the IDP Entity ID. IDP SSO URL, and IDP SLO URL.
      You use these fields when you configure SAML Authentication in Panorama in Step 8.
      Also make a note of the IDP SOAP URL and Assertion Consumer Service URL fields; you might need those fields when you configure SAML in the SaaS app for which you want to provide access in Step 12.
      saml-aperture-config-details.png
    5. Click Cancel after you’re retrieved the configuration details.
  6. Log in to Panorama and make a note of the GlobalProtect cloud service API key and portal name.
    • API key—Select PanoramaCloud ServicesConfiguration, click the Service Setup tab in the GlobalProtect Cloud Service area, then select Generate API Key and make a note of the Current Key.
      If there is no key, click Generate New API Key to create one.
      generate-api-key.png
    • Portal name—Select PanoramaCloud ServicesConfigurationMobile Users and make a note of the Hostname that is used for the GlobalProtect cloud service portal.
  7. In Aperture, add the GlobalProtect cloud service as a gateway.
    1. Select SettingsUnmanaged Device Access ControlSAML Proxy.
    2. Select GatewaysAdd Gateway GPCS.
    3. Enter the Portal name from GlobalProtect cloud service in the GPCS Gateway URL field.
    4. Enter the API key in the GPCS API Key field.
  8. In Panorama, set up SAML authentication.
    1. Select DeviceServer ProfilesSAML Identity Provider.
    2. Add an identity provider and give it a Name.
    3. Add the following you retrieved from Aperture in Step 5:
      • Identity Provider ID—Enter the IDP Entity ID from Aperture.
      • Identity Provider CertificateImport the Identity Provider Certificate you downloaded from Aperture.
        saml-aperture-import-certificate.png
      • Identity Provider SSO URL—Enter the IDP SSO URL from Aperture.
      • Identity Provider SLO URL—Enter the IDP SLO URL from Aperture.
      • SAML HTTP Binding for SSO Requests to IDP—Select Redirect.
      saml-identity-provider-okta-ssl.png
  9. Add a SAML authentication profile, specifying the SAML identify profile you just created.
    1. Select DeviceAuthentication Profile.
    2. Add a new authentication profile.
    3. Select a type of SAML and select the IdP Server Profile that you created.
    4. Be sure that Enable Single Logout is deselected.
      Single logout is not supported with this feature.
      saml-auth-profile-proxy.png
  10. Apply the authentication profile to the GlobalProtect cloud service portal.
    1. Select NetworkGlobalProtectPortals.
    2. Select the GlobalProtect_Portal.
    3. Click Authentication.
    4. Add a client authentication profile, specifying the Authentication Profile you just created.
      saml-auth-proxy-specify-auth-profile.png
  11. Make sure that you have enabled Clientless VPN by clicking the Clientless VPN tab and making sure that you have selected Clientless VPN.
    clientless-vpn-enable.png
  12. Enable SSO on the SaaS app for which you want to provide access.
    1. In the SaaS app, import the Identity Provider Certificate you downloaded from Aperture.
    2. Enter the IDP Entity ID, Identity Provider SSO URL, IDP SLO URL, and if applicable, IDP SOAP URL and Assertion Consumer Service URL you copied from Aperture in Step 5.

Related Documentation