Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The GlobalProtect app for Windows and Mac endpoints now supports pre-logon followed by SAML authentication for user login. When an endpoint boots up and Internet is readily available, GlobalProtect establishes a pre-logon tunnel using the machine certificate on the endpoint. After the pre-logon tunnel is established, the user can log in to the endpoint and authenticate to GlobalProtect using the configured SAML identity provider (IDP). If SAML authentication is successful on Windows endpoints, the pre-logon tunnel is seamlessly renamed to User tunnel, and the GlobalProtect connection is established. If SAML authentication is successful on Mac endpoints, a new tunnel is created, and the GlobalProtect connection is established.

A pre-logon VPN tunnel has no username association because the user has not logged in. In order to grant access to resources, it is necessary to establish security policies that are compatible with the pre-logon user. These policies should permit access to essential services required for system startup, such as DHCP, DNS, specific Active Directory services, antivirus, and operating system update services. After the user authenticates to the gateway, the GlobalProtect app reassigns the VPN tunnel to the authenticated user, resulting in a change in the IP address mapping on the firewall from the pre-logon endpoint to the authenticated user.

Use the following steps to configure the GlobalProtect app to use pre-logon followed by SAML authentication for user login:

After you configure pre-logon for SAML authentication, you're ready to Configure SAML Authentication.