Pre-Logon for SAML Authentication
Learn how to configure remote access VPN with pre-logon and set up SAML
authentication.
Where Can I Use This? | What Do I Need? |
- GlobalProtect Subscription
|
- GlobalProtect App 5.0 with PAN-OS 8.0 and later releases
- macOS 10.9 and later releases
- Windows 7 and 10
- GlobalProtect endpoints running on Windows and macOS
|
Pre-logon is a connect method that establishes
a VPN tunnel before a user logs in. The GlobalProtect app for Windows and Mac endpoints
now supports pre-logon followed by SAML authentication for user login. When an endpoint
boots up and Internet is readily available, GlobalProtect establishes a pre-logon tunnel
using the machine certificate on the endpoint. After the pre-logon tunnel is
established, the user can log in to the endpoint and authenticate to GlobalProtect using
the configured SAML identity provider (IDP). If SAML authentication is successful on
Windows endpoints, the pre-logon tunnel is seamlessly renamed to User tunnel, and the
GlobalProtect connection is established. If SAML authentication is successful on Mac
endpoints, a new tunnel is created, and the GlobalProtect connection is established.
A pre-logon VPN tunnel has no username association because the user has not logged in. In
order to grant access to resources, it is necessary to establish security policies that
are compatible with the pre-logon user. These policies should permit access to essential
services required for system startup, such as DHCP, DNS, specific Active Directory
services, antivirus, and operating system update services. After the user authenticates
to the gateway, the GlobalProtect app reassigns the VPN tunnel to the authenticated
user, resulting in a change in the IP address mapping on the firewall from the pre-logon
endpoint to the authenticated user.
Use the following steps to configure the GlobalProtect app to use pre-logon followed by
SAML authentication for user login:
- Remote Access VPN with Pre-Logon
- Set Up SAML Authentication