Let's see if we can get the ball rolling here: Has anyone ever set up SAML authentication for GlobalProtect, using Azure SSO with azure 2FA (sms text with otp) I've set up SAML and authenticating works although I get a warning the certificate isn't being verified which bring me to my first problem: I've imported the SAML XML and it loads a certificate, but it's not a CA which means I can't create a certificate profile for crl/ocsp My second issue is that 2FA isn't getting triggered in the Microsoft popup that is used for authentication. Has anyone set this up?
All things Palo Alto Networks

Second issue, there is no way to make 2FA mandatory as of today. Tried with admin ui but had to scrap because of this..
We ended up rolling over to radius as I wasn't having any succes with SAML :)
Hello,
I've set up SAML with GP and Azure, SSO is with ADFS. that's working fine.
Cool! Would you be able to share details? Any gotchas or caveats?
@Reaper HI, I've documented it, but I have to make it anonymous, let me back asap
How did we import the IdP configurations? I have never had any issues with GP and SAML. In the past I've always exported the metadata from Azure and used the 'Import' button on the IdP Server Profile on the firewall (not the 'Add' button). After uploading the configuration to the firewall you can use that IdP profile in an authentication profile. The SAML identifiers must be added in the Azure configuration.
Here's the format of the SAML identifiers. Remeber to replace publicIP_or_domain-name with the source adddress/name of the SAML request from the gateways and portals. https://<publicIP_or_domain-name>:443/SAML20/SP https://<publicIP_or_domain-name>:443/SAML20/SP/ACS As a troubleshooting step, you can uncheck the verify IdP certificate box in the IdP server profile... just be aware of CVE-2020-2021
Were you able to get OTP/MFA working on the SAML authentication?
We got SAML and Azure AD to work, really well but it populated all the usernames with email addresses and not their AD username, so needed a little bit more work to fix, so its off for now as other projects got in way
Came across this video walk through of the setup process earlier this week.
https://www.consigas.com/best-practices/authenticating-globalprotect-and-prisma-access-remote-access-users-against-office365-azure-ad