Palo Alto Networks GlobalProtect VPN using Microsoft Azure AD & SAML

Very good and how did you enable it, we are not getting it here. Thank you!

Can you help me with this, which settings in the AAD and GP gateway worked for you?

It's a subscription tier within Azure AD, Premium P2. It's going to be part of most organizational plans already so I didn't go into enabling it, but you can find out more about it here: azure.microsoft.com/en-us/pricing/details/active-directory/

Check to see if the user name provided matches the user attributes and group members that you are looking for. GlobalProtect uses the "@" as a domain distinguisher so kelly@learningforfun.net will show up as learningforfun.net\kelly.
Four quick commands to check:
less mp-log sslvpn-access/sslvpn-access.log
#from here you can see the user-id that the web-server process was seeing along.
show user ip-user-mapping all
#see what the user is registered with GP as currently.
show user user-attributes user all
# This will show you the user attributes such as alternatives to how the user name shows up
show user group name [DOMAIN NAME]
This will show you the group members to verify that they match one of the user attributes. Example:
show user group name "learningforfun
emote users"

Yep, you can add additional entries under the Single sign-on area. Put each SP in the Identifier area and the ACS in the Reply URL and your good to go.

Yes you can. That's what it defaults to for the basic access I believe when you onboard accounts. Just scan the QR code in the Authenticator app and you are off and running.

this is my doubt too, here we are only getting SSO but I want to put the Authenticator as MFA

@@gustavoassi1016 I'd guess conditional policy toward the azure gp app and then force sso on it

@@learningforfuntoday ... would be GREAT to see a video on MFA with authenticator and Azure

Should be up and finished by the 2nd of December.

Absolutely, by default it's enabled for accounts using the free tier of Azure AD.

@@learningforfuntoday Yes, MFA is enabled for the account in AAD, but in global protect it does not ask for validation in the Autenthicator, we integrate the GP gateway with AAD via SAML, it does SSO but not MFA.

Yes, you would edit the :443 to match the port (e.g. :5443). This info is to let the provider know where the client is being redirect from and where to redirect them back to after they successfully get a SAML assertion message.

During the transition from prelogon to the user session you'll see the details of the attempt in the Azure App log. Same as if they were connecting from the app from the desktop. If you aren't seeing anything I'd check your tunnel transition timer setting.

Hi, I tested this morning and was able to upload and use sub-domain wildcard cert (e.g. *.learningforfun.net). I would recommend caution to using wildcard cert for signing on production apps, just something to consider.

@@learningforfuntoday thanks! I appreciate you testing that!! I’m not sure what work around options I have. We want to have two gateways (primary and backup). Primary on ISP1and backup on ISP2, with different URLs (as we don’t have DNS failover). Since we are “validating” with the certificate via the SAML IDP on the Palo. This way we can have both gateways with different URLs. We leverage the conditional access on the GlobalProtect VPN app in Azure for MFA. I thought choosing the validate option was “best practice” to make it more secure. Maybe I’m wrong….

@@davec544 Validating is absolutely the best practice. The certificate that's signing the SAML assertion is just a name (something friendly, I tend to name it after the app purpose) that the Palo will need to trust. This doesn't need (and shouldn't) match your portal/gateway address.
Under the Enterprise App theirs the is the Base SAML Configuration. This is where you can have multiple entries or use a wildcard like: *.learningforfun.net vs. vpn[1|2].learningforfun.net.
Hopefully I understood your ask, but this is how I've handled deployments with multiple portal/gateway deployments.

@@learningforfuntoday oh! I thought it needed to match the portal/gateway address (URL). So I created a certificate on the Palo with the URL of the portal/gateway and then imported it in the SAML Signing certificate area. So what you’re saying is the common name of the certificate that I creat and import into the SAML Signing Certificate can be anything? So that’s just required to validate the “handshake” (so to speak)? I knew I could put the other URLs in the base SAML config., but I thought it required a valid URL. Hmm Interesting

I’ll have to try that tonight. Unfortunately, it’s in production and I can’t test changes until tonight. I really appreciate the help!

You absolutely can and what I would recommend. It's as easy as saying all users must use MFA. The only real issue I've seen is where customers set the tenant wide setting that cache MFA status for 12 hours....so after the user connects the fist time Azure caches it for 12 hours on it's side. Just be careful when testing it out to make sure you the conditional access policy matches your security requirements!

@@learningforfuntoday it isn't going quite as smoothly as in your video lol. I see this error( description contains 'failed authentication for user \'xxxxxxx\'. Reason: Internal error, e.g. network connection, DNS failure or remote server down. auth profile \Azure AD - Global Protect'\', vsys \'vsys1\', From: xxxxx.' ) and this error 'Username from SAML SSO response is different from the input' I think i will try update the group mapping attributes to include userprinciple Name and samaccountname and see if that helps.

@@reddrinker Try the email field as the username. You'll get that message if the attributes being returned as the username aren't the email address. I ran into it when I was using a Guest invited account since the UPN adds #EXT# to it.
I was able to see it easily by using a tool called SAML Tracer in Chrome and FireFox and logging into the Portal.

You'll want to make sure the username being returned matches the LDAP user/group attributes you are pulling from AD. Most of the time this should be the email attribute that we use as a secondary attribute.
Alternatively, if you are on 10.1 you can use the Cloud Identity Engine to query the groups directly from Azure and on prem AD. Highly recommend looking into this.
I plan on making a video here shortly on how to implement it.

@@learningforfuntoday I don't have a local AD, I have just some users and groups defined in PA firewall. All that users connect to VPN from outside the office using GP. Now works well, each group follows security policy, but If I will switch to azure I don't know how will work. Thanks!

@@learningforfuntoday pls make the cloud identity engine implementation video. And thanks for making this one btw, very helpful

Two different options:
1) You can use the LDAP Group mapping capabilities of the firewall like you do for other group mappings. This works if there's no cloud only account (e.g. guest accounts).
2) The new way to do it would be to use the Cloud Identity Engine (CIE) that Palo Alto Networks offering in the hub (apps.paloaltonetworks.com). It pulls the groups from AD and from iDPs like Azure and sync's them with your firewalls! Perfect for the type of deployments we are seeing today.
I'll have a video coming out soon that dives more into the benefits and how to deploy the CIE solution.

@@learningforfuntoday Where is this video? I am in the same boat as some other commenters. Our Group Mapping worked fine and then I switched over to Azure. I have CIE setup with my LDAP and Azure directories both connected. I guess I need to add this to my (non-panorama) firewall somehow..