You can use Security Assertion Markup Language (SAML)
2.0 to authenticate administrators who access the firewall or Panorama
web interface and end users who access web applications that are
internal or external to your organization. In environments where
each user accesses many applications and authenticating for each
one would impede user productivity, you can configure SAML single
sign-on (SSO) to enable one login to access multiple applications.
Likewise, SAML single logout (SLO) enables a user to end sessions
for multiple applications by logging out of just one session. SSO
is available to administrators who access the web interface and
to end users who access applications through GlobalProtect or Authentication
Portal. SLO is available to administrators and GlobalProtect end
users, but not to Authentication Portal end users. When you configure
SAML authentication
on the firewall or
on Panorama, you can specify SAML attributes
for administrator authorization. SAML attributes enable you to quickly change
the roles, access domains, and user groups of administrators through
your directory service, which is often easier than reconfiguring
settings on the firewall or Panorama.