Azure SAML with MFA for GlobalProtect

Came across this video walk through of the setup process earlier this week.

https://www.consigas.com/best-practices/authenticating-globalprotect-and-prisma-access-remote-access-users-against-office365-azure-ad

We got SAML and Azure AD to work, really well but it populated all the usernames with email addresses and not their AD username, so needed a little bit more work to fix, so its off for now as other projects got in way

How did we import the IdP configurations? I have never had any issues with GP and SAML. In the past I've always exported the metadata from Azure and used the 'Import' button on the IdP Server Profile on the firewall (not the 'Add' button). After uploading the configuration to the firewall you can use that IdP profile in an authentication profile. The SAML identifiers must be added in the Azure configuration.

Here's the format of the SAML identifiers. Remeber to replace publicIP_or_domain-name with the source adddress/name of the SAML request from the gateways and portals. https://<publicIP_or_domain-name>:443/SAML20/SP https://<publicIP_or_domain-name>:443/SAML20/SP/ACS As a troubleshooting step, you can uncheck the verify IdP certificate box in the IdP server profile... just be aware of CVE-2020-2021

Hello,

I've set up SAML with GP and Azure, SSO is with ADFS. that's working fine.

We ended up rolling over to radius as I wasn't having any succes with SAML :)

Second issue, there is no way to make 2FA mandatory as of today. Tried with admin ui but had to scrap because of this..