All things Palo Alto Networks

  • Blog

  • Forum

  • Members

  • More

    Use tab to navigate through the menu items.
    To see this working, head to your live site.
    • Categories
    • All Posts
    • My Posts
    Reaper
    May 14, 2020

    Azure SAML with MFA for GlobalProtect

    in General discussion

    Let's see if we can get the ball rolling here: Has anyone ever set up SAML authentication for GlobalProtect, using Azure SSO with azure 2FA (sms text with otp) I've set up SAML and authenticating works although I get a warning the certificate isn't being verified which bring me to my first problem: I've imported the SAML XML and it loads a certificate, but it's not a CA which means I can't create a certificate profile for crl/ocsp My second issue is that 2FA isn't getting triggered in the Microsoft popup that is used for authentication. Has anyone set this up?

    6 answers3 replies
    0
    2
    superture
    Jun 08, 2020

    Second issue, there is no way to make 2FA mandatory as of today. Tried with admin ui but had to scrap because of this..

    1
    Reaper
    Jun 08, 2020

    We ended up rolling over to radius as I wasn't having any succes with SAML :)

    1
    cmazuranok
    Aug 20, 2020

    Hello,

    I've set up SAML with GP and Azure, SSO is with ADFS. that's working fine.

    Reaper
    Aug 20, 2020

    Cool! Would you be able to share details? Any gotchas or caveats?

    0
    cmazuranok
    Aug 21, 2020

    @Reaper HI, I've documented it, but I have to make it anonymous, let me back asap

    0
    1
    Matt Gaudreau
    Aug 20, 2020

    How did we import the IdP configurations? I have never had any issues with GP and SAML. In the past I've always exported the metadata from Azure and used the 'Import' button on the IdP Server Profile on the firewall (not the 'Add' button). After uploading the configuration to the firewall you can use that IdP profile in an authentication profile. The SAML identifiers must be added in the Azure configuration.


    Here's the format of the SAML identifiers. Remeber to replace publicIP_or_domain-name with the source adddress/name of the SAML request from the gateways and portals. https://<publicIP_or_domain-name>:443/SAML20/SP https://<publicIP_or_domain-name>:443/SAML20/SP/ACS As a troubleshooting step, you can uncheck the verify IdP certificate box in the IdP server profile... just be aware of CVE-2020-2021

    Reaper
    Aug 20, 2020

    Were you able to get OTP/MFA working on the SAML authentication?

    0
    1
    Darren Bisbey
    Sep 11, 2020

    We got SAML and Azure AD to work, really well but it populated all the usernames with email addresses and not their AD username, so needed a little bit more work to fix, so its off for now as other projects got in way

    1
    CarpeInferi
    Sep 11, 2020

    Came across this video walk through of the setup process earlier this week.


    https://www.consigas.com/best-practices/authenticating-globalprotect-and-prisma-access-remote-access-users-against-office365-azure-ad

    9 comments
     
    • Mastering Palo Alto Networks
    • PANgurus LinkedIn

    Subscribe Form

    Privacy Policy

    Terms of use

    ©2020 by PANgurus.