To see this working, head to your live site.

Azure SAML with MFA for GlobalProtect

Let's see if we can get the ball rolling here: Has anyone ever set up SAML authentication for GlobalProtect, using Azure SSO with azure 2FA (sms text with otp) I've set up SAML and authenticating works although I get a warning the certificate isn't being verified which bring me to my first problem: I've imported the SAML XML and it loads a certificate, but it's not a CA which means I can't create a certificate profile for crl/ocsp My second issue is that 2FA isn't getting triggered in the Microsoft popup that is used for authentication. Has anyone set this up?

6 answers3 replies

Comments (9)

CarpeInferi

Sep 11, 2020

Came across this video walk through of the setup process earlier this week.

https://www.consigas.com/best-practices/authenticating-globalprotect-and-prisma-access-remote-access-users-against-office365-azure-ad

Darren Bisbey

Sep 11, 2020

We got SAML and Azure AD to work, really well but it populated all the usernames with email addresses and not their AD username, so needed a little bit more work to fix, so its off for now as other projects got in way

Matt Gaudreau

Aug 20, 2020

How did we import the IdP configurations? I have never had any issues with GP and SAML. In the past I've always exported the metadata from Azure and used the 'Import' button on the IdP Server Profile on the firewall (not the 'Add' button). After uploading the configuration to the firewall you can use that IdP profile in an authentication profile. The SAML identifiers must be added in the Azure configuration.

Here's the format of the SAML identifiers. Remeber to replace publicIP_or_domain-name with the source adddress/name of the SAML request from the gateways and portals. https://<publicIP_or_domain-name>:443/SAML20/SP https://<publicIP_or_domain-name>:443/SAML20/SP/ACS As a troubleshooting step, you can uncheck the verify IdP certificate box in the IdP server profile... just be aware of CVE-2020-2021