The firewall and Panorama can use external servers to
control administrative access to the web interface and end user
access to services or applications through Authentication Portal
and GlobalProtect. In this context, any authentication service that
is not local to the firewall or Panorama is considered external,
regardless of whether the service is internal (such as Kerberos)
or external (such as a SAML identity provider) relative to your
network. The server types that the firewall and Panorama can integrate
with include Multi-Factor
Authentication (MFA), SAML, Kerberos, TACACS+, RADIUS,
and LDAP. Although
you can also use the Local
Authentication services that the firewall and Panorama support,
usually external services are preferable because they provide:
Central management of all user accounts in an external
identity store. All the supported external services provide this
option for end users and administrators.
Central management of account authorization (role and access
domain assignments). SAML, TACACS+, and RADIUS support this option
Single sign-on (SSO), which enables users to authenticate
only once for access to multiple services and applications. SAML
and Kerberos support SSO.
Multiple authentication challenges of different types (factors)
to protect your most sensitive services and applications. MFA services
support this option.
Authentication through an external service requires a server
profile that defines how the firewall connects to the service. You
assign the server profile to authentication profiles, which define
settings that you customize for each application and set of users.
For example, you can configure one authentication profile for administrators
who access the web interface and another profile for end users who
access a GlobalProtect portal. For details, see Configure
an Authentication Profile and Sequence.