You can use Security Assertion Markup Language (SAML)
2.0 to authenticate administrators who access the firewall or Panorama
web interface and end users who access web applications that are
internal or external to your organization. In environments where
each user accesses many applications and authenticating for each
one would impede user productivity, you can configure SAML single
sign-on (SSO) to enable one login to access multiple applications.
Likewise, SAML single logout (SLO) enables a user to end sessions
for multiple applications by logging out of just one session. SSO
is available to administrators who access the web interface and
to end users who access applications through GlobalProtect or Captive
Portal. SLO is available to administrators and GlobalProtect end
users, but not to Captive Portal end users. When you configure SAML
authentication on the firewall or on Panorama, you can specify SAML attributes
for administrator authorization. SAML attributes enable you to quickly
change the roles, access domains, and user groups of administrators
through your directory service, which is often easier than reconfiguring
settings on the firewall or Panorama.
Administrators cannot use SAML to authenticate to the CLI
on the firewall or Panorama.
You cannot use SAML authentication
profiles in authentication sequences.
SAML authentication requires a service provider (the
firewall or Panorama), which controls access to applications, and
an identity provider (IdP) such as PingFederate, which
authenticates users. When a user requests a service or application,
the firewall or Panorama intercepts the request and redirects the
user to the IdP for authentication. The IdP then authenticates the
user and returns a SAML assertion, which indicates
authentication succeeded or failed. SAML
Authentication for Captive Portal End Users illustrates SAML
authentication for an end user who accesses applications through
Captive Portal.