SAML Authentication Using Okta as IdP for Mobile Users

You can use Security Assertion Markup Language (SAML) 2.0 to authenticate GlobalProtect cloud service mobile users. When using SAML 2.0, the GlobalProtect portal and gateways act as SAML Service Provider (SP). You can use any vendor that supports SAML 2.0 as SAML identity provider (IdP).
Complete this task to configure SAML 2.0 in the GlobalProtect cloud service by using Okta as the IdP.
  1. Log in to Panorama and configure the SAML signing certificate that you want to use with SAML 2.0.
    You can either generate the signing SAML signing certificate used by the portal and gateways, or you can import it. Only a Panorama administrator or Superuser can generate or import this certificate.
    • To Generate a Certificate and export it:
      1. Select DeviceMobile_User_TemplateCertificate ManagementCertificatesDevice Certificates.
        You can also create this certificate in another template, but you must include this certificate as part of the Mobile_User_Template_Stack to use it with the GlobalProtect portal and the gateways in the GlobalProtect cloud service.
      2. Click Generate.
        generate-certificate-for-saml.png
      3. Select the certificate, then click Export Certificate.
        export-certificate-saml.png
      4. Export the certificate in PEM format.
        Do not select the Export private key check box.
        export-certificate-window-saml.png
      1. Select DeviceMobile_User_TemplateCertificate ManagementCertificatesDevice Certificates.
        Be sure to include this certificate as part of the Mobile_User_Template_Stack.
      2. Click Import and enter a Certificate Name.
      3. Select the Shared check box.
      4. Enter the path and name of the Certificate File received from the CA, or Browse to find the file.
      5. Click OK.
  2. Log into Okta as an administrator and create and create SAML 2.0 applications for the portal and gateways.
    To complete this step, you need to know the FQDNs of the portal and gateways. You can obtain the FQDNs in Panorama by selecting PanoramaCloud ServicesStatusNetwork Details and clicking the Mobile Users radio button. The FQDNs display in the Gateways area. Click More to see all gateways.
    external-portal-address-saml.png
  3. Create a new application integration for the GlobalProtect portal. Specify the Platform Type as Web and the sign-on method as SAML 2.0 and click Create.
    okta-new-app-integration-saml.png
    1. Configure the following application integration options:
      • Single sign on URL—Enter https://<Portal-FQDN>:443/SAML20/SP/ACS
        Where <Portal-FQDN> is the FQDN for the GlobalProtect portal.
      • Use this for Recipient URL and Destination URL—Select this check box.
      • Allow this app to request other SSO URLs—Clear this check box.
      • Audience URI (SP Entity ID)—Enter https://<Portal-FQDN>:443/SAML20/SP.
      • Default RelayState—Leave blank.
      • Name ID format—Select EmailAddress.
      • Application username—Select Okta Username.
      saml-settings-saml.png
    2. Select Show Advanced Settings and configure these settings:
      • Allow application to initiate Single Logout—Select this check box.
      • Single Logout URL—Enter https://<Portal-FQDN>:443/SAML20/SP/SLO
        Where <Portal-FQDN> is the FQDN for the GlobalProtect portal.
      • SP Issuer—Enter the issuer for the service provider.
      • Signature CertificateBrowse to and then select the SAML signing certificate that you configured in Step 1, then click Upload Certificate.
        saml-settings-advanced.png
    3. In the ATTRIBUTE STATEMENTS (OPTIONAL) area, specify users, Name formats, and values in Okta Expression Language.
      These fields reference, transform and combine attributes to define the User-ID format when the format is created in the Palo Alto Networks next-generation firewall. For example, specify a name format of Basic and a Value of user.firstName.
      attribute-statements-optional-saml.png
    4. Optionally, in the Group Attribute Statements (Optional) area, create group attribute options.
      You can’t use group information that’s retrieved from the SAML assertion in either security policies or the agent client configuration in the portal and gateways. If you have a requirement to configure user group-based policies and configuration selections, you must Enable Group Mapping and retrieve the user group information from the LDAP server using Group Mapping Settings.
    5. Save the configuration.
  4. Create a new application integration for the GlobalProtect cloud service gateways.
    Specify the Platform Type as Web and the sign-on method as SAML 2.0 and click Create.
    1. Configure the following application options:
      • Single sign on URL—Enter https://<Cloud-Gateway-1-FQDN>:443/SAML20/SP/ACS
        Where <Cloud-Gateway-1-FQDN> is the FQDN for the GlobalProtect cloud service gateway that is closest to the majority of your mobile users.
        For example, if most of your mobile users are in Canada, enter the gateway with the name beginning ca-central.
      • Use this for Recipient URL and Destination URL—Select this check box.
      • Allow this app to request other SSO URLs—Select this check box and add the hostnames for all GlobalProtect cloud service gateways in the Requestable SSO URL fields (https://<Cloud-Gateway-1-FQDN>:443/SAML20/SP/ACS, https://<Cloud-Gateway-2-FQDN>:443/SAML20/SP/ACS, and so on).
      • Audience URI (SP Entity ID)—Enter the same gateway you specified for Single sign on URL (https://<Cloud-Gateway-1-FQDN>:443/SAML20/SP).
      • Default RelayState—Leave blank.
      • Name ID format—Select EmailAddress.
      • Application username—Select Okta Username.
      saml-settings-saml-2.png
    2. Select Show Advanced Settings and configure these settings:
      • Allow application to initiate Single Logout—Select this check box.
      • Single Logout URL—Enter https://<Cloud-Gateway-1-FQDN>:443/SAML20/SP/SLO
        Where <Cloud-Gateway-1-FQDN> is the FQDN for the GlobalProtect cloud service gateway that is the closest to the majority of your mobile users.
      • SP Issuer—Enter the issuer for the service provider.
      • Signature CertificateBrowse to and select the SAML signing certificate that you configured in Step 1, then click Upload Certificate.
        saml-settings-advanced-gateway.png
    3. In the ATTRIBUTE STATEMENTS (OPTIONAL) area, specify users, Name formats, and values in Okta Expression Language.
      For example, specify a name format of Basic and a Value of user.firstName.
      attribute-statements-optional-saml.png
    4. Optionally, in the Group Attribute Statements (Optional) area, create group attribute options.
      You can’t use group information that’s retrieved from the SAML assertion in either security policies or the agent client configuration in the portal and gateways. If you have a requirement to configure user group-based policies and configuration selections, you must Enable Group Mapping and retrieve the user group information from the LDAP server using Group Mapping Settings.
    5. Save the configuration.
  5. Complete the configuration of the SAML 2.0 web application in Okta and enable the users to use the application. Click View Setup Instructions for details.
  6. To download the metadata files for the portal and gateways, click Identity Provider metadata and copy that information.
    export-metadata-file-saml.png
  7. Import the metadata files for the portal and gateway to Panorama.
    1. In Panorama, select DeviceMobile_User_TemplateServer ProfilesSAML Identity Provider.
    2. Import the portal file.
      To validate the IdP certificate, you must specify a Certificate Profile in any Authentication Profile that references the IdP server profile.
      saml-identity-provider-import-2.png
    3. Enter the path and name of the Identity Provider Metadata received from the CA, or Browse to find the file.
    4. Click OK.
    5. Import the metadata file for the gateways by repeating Step 7.b to Step 7.d.
      The SAML profiles display in the SAML Identity Provider window.
      saml-identity-provider-import-complete.png
  8. Create new authentication profiles for the portal and gateways.
    1. Select DeviceMobile_User_Template-Authentication Profile.
    2. Click Add.
    3. Add an authentication profile for the portal. Specify a type of SAML, the portal server profile you created in Step 7, and the certificate you created in Step 1.
      auth-profile-saml-portal.png
    4. Click OK.
    5. Create an authentication profile for the gateways, using Step 8.a to Step 8.d.
  9. Update the GlobalProtect portal and gateway to use the SAML authentication profile you just created.
    saml-portal-update-auth-profile.png
    saml-gateway-update-auth-profile.png
  10. Click OK twice to close the configuration.

Related Documentation