Learn how to set up SAML authentication for GlobalProtect
users using the Cloud Authentication Service.
Software Support: Starting with GlobalProtect™
app 6.0 and running PAN-OS 10.1.0 release
OS Support:
Linux (XML file changes), Windows (requires Windows Installer [Msiexec]
setting changes), macOS (requires property lists [plists] changes),
iOS (requires MDM setting changes), and Android (requires MDM setting
changes)
Browser Support: Windows (Chrome, Edge, Internet
Explorer, and Firefox), macOS (Safari, Chrome, and Firefox), Android
(Chrome), iOS (Safari), and Linux (Firefox and Chrome). You must
use the
default system browser with
this feature; the embedded browser is not supported.
If you
have configured the GlobalProtect portal to authenticate end users
through Security Assertion Markup Language (SAML) authentication,
you can now integrate the Cloud Authentication Service as a cloud-based service
to allow end users to connect to the GlobalProtect app using SAML-based
Identity Providers (IdPs) such as Onelogin or Okta without having
them to re-enter their credentials, for a seamless single sign-on
(SSO) experience. End users can benefit from using the default system
browser for SAML authentication with the Cloud Authentication Service
because they can leverage the same login for GlobalProtect with
their saved user credentials on the default system browser such
as Chrome, Firefox, or Safari.
If the Enforcer status
is enabled, you must configure exclusions for the URLs that contain
IP addresses or fully qualified domain names of the configured SAML
IdPs for the portal and gateway by entering them to
Allow
traffic to specified FQDN when Enforce GlobalProtect Connection
for Network Access is enabled and GlobalProtect Connection is not
established as an
app setting in the
App
Configurations area of the GlobalProtect portal.
When
the end user attempts to authenticate, the authentication request
redirects to the Cloud Authentication Service, which redirects the
request to the IdP. After the IdP authenticates the end user, the
firewall maps the user and applies the security policy.
By
using a cloud-based solution, you can reallocate the resources required
for authentication from the firewall or Panorama to the cloud. The
Cloud Authentication Service also enables you to configure the authentication source
once instead of for each authentication method, such as GlobalProtect
authentication.