SAML 2.0 Authentication for GlobalProtect

GlobalProtect portals, gateways, and clients now support SAML 2.0 Authentication. If you have chosen SAML as your authentication standard, GlobalProtect portals and gateways can act as a Security Assertion Markup Language (SAML) 2.0 service provider and GlobalProtect clients can authenticate users directly to the SAML identity provider. You can configure SAML authentication for user authentication to GlobalProtect gateways or to the GlobalProtect portal, or both.
  1. Configure SAML 2.0 Authentication on the PAN-OS firewall that hosts the portal or gateway.
    • Create a server profile with settings for access to the SAML 2.0 authentication service.
    • Create an authentication profile that refers to the SAML server profile.
    1. Specify SAML authentication for gateway users:
      • Select
        Authentication Profile
        and add the SAML authentication profile you created in step 1. This profile is used to authenticate an endpoint seeking access to the gateway.
        For iOS clients, SAML authentication is only supported when the
        Connect Method
        is configured for
        On-demand (Manual user initiated connection)
        .
      • Enter an
        Authentication Message
        to help end users understand which credentials to use when logging in. The message can be up to 100 characters in length (default is
        Enter login credentials
        ).
    2. (
      Optional
      ) Select a
      Certificate Profile
      to use for client authentication to the gateway. For the certificate profile you select, make sure the
      Username Field
      in the certificate profile is set to
      None
      .
      saml-cert-profile.png
    1. Specify SAML authentication for the client:
      • Select
        Authentication Profile
        and add a SAML authentication profile. You can use the same profile you created in step 1 or create a new SAML profile for the portal. This profile is used to authenticate an endpoint seeking access to the portal.
      • Enter an
        Authentication Message
        to help end users understand which credentials to use when logging in. The message can be up to 100 characters in length (default is
        Enter login credentials
        ).
    2. (
      Optional
      ) Select a
      Certificate Profile
      to use for client authentication to the portal. For the certificate profile you select, make sure the
      Username Field
      in the certificate profile is set to
      None
      .
      saml-cert-profile.png

Related Documentation