SAML 2.0 Authentication

You can now use Security Assertion Markup Language (SAML) 2.0 to authenticate administrators who access the firewall or Panorama web interface and end users who access services or applications. In environments where each user accesses many services or applications and authenticating for each one would impede user productivity, you can configure SAML single sign-on (SSO) to enable one login to access multiple services and applications. Likewise, SAML single logout (SLO) enables a user to end sessions for multiple services and applications by logging out of just one session. You can use SAML authentication for services and applications that are external or internal to your organization.
SSO is available to administrators and to GlobalProtect and Captive Portal end users. SLO is available to administrators and GlobalProtect end users, but not to Captive Portal end users.
Administrators can use SAML to authenticate to the firewall or Panorama web interface, but not to the CLI.
SAML authentication requires a service provider (the firewall or Panorama), which controls access to services or applications, and an identity provider (IdP) such as PingFederate, which authenticates users. To configure SAML authentication, you must register the firewall or Panorama and the IdP with each other to enable communication between them. If the IdP provides a metadata file containing registration information, you can import it onto the firewall or Panorama to register the IdP and to create an IdP server profile. The server profile specifies the certificate that the IdP uses to sign SAML messages. You can also import a certificate for the firewall or Panorama to sign SAML messages. Using certificates is optional but recommended to secure communications between the firewall or Panorama and the IdP.
  1. (
    Recommended
    ) Obtain the certificate that the firewall will use to sign SAML messages that it sends to the IdP.
    If the certificate doesn’t specify key usage attributes, all usages are allowed by default, including signing messages. In this case, you can obtain the certificates by any method.
    If the certificate does specify key usage attributes, one of the attributes must be Digital Signature, which is not available on certificates that you generate on the firewall or Panorama. In this case, you must import the certificate from your enterprise certificate authority (CA) or a third-party CA.
  2. Select
    Device
    Server Profiles
    SAML Identity Provider
    and
    Import
    the metadata file that your IdP provided.
    When you import the metadata file, the firewall automatically creates a server profile and populates the connection, registration, and certificate information. The IdP uses the certificate to sign SAML messages that it sends to the firewall. You must manually configure the other server profile settings.
    SAML_IdP_server_profile_import.png
  3. Select
    Device
    Authentication Profile
    and
    Add
    an authentication profile to define authentication settings such as SAML SLO. Select the
    IdP Server Profile
    you configured and select the
    Certificate for Signing Requests
    . The firewall uses this certificate to sign SAML messages that it sends to the IdP.
    authentication_profile_saml.png
  4. Assign the authentication profile to firewall applications that require authentication.
    • Administrator accounts that you manage locally on the firewall. In this example, create a local administrator before you verify the SAML configuration later in this procedure.
    • Administrator accounts that you manage externally in the IdP identity store. Select
      Device
      Setup
      Management
      , edit the Authentication Settings, and select the
      Authentication Profile
      .
    • Authentication policy rules that secure the services and applications that Captive Portal end users access.
    • GlobalProtect portals and gateways that end users access.
  5. Commit
    your changes.
    The firewall validates the
    Identity Provider Certificate
    that you assigned to the SAML IdP server profile.
  6. Create a metadata file that you can use to register the firewall application with the IdP—Select
    Device
    Authentication Profile
    and click
    Metadata
    in the row of the authentication profile you configured.
    SAML_metadata_export.png
    Refer to your IdP documentation for the steps to import the metadata file onto the IdP server and register the firewall application.
  7. Verify that users can authenticate using SAML—As the administrator you created locally on the firewall, log in to the firewall web interface using the
    Use Single Sign-On
    option. After authenticating through the IdP, use the same administrator account to access another SSO application. If you can access the application without authenticating again (assuming Security policy allows access to that application), SSO authentication succeeded.

Related Documentation