Palo Alto GlobalProtect SAML Single Sign-On with Azure [in 8 minutes]
ฝัง
- เผยแพร่เมื่อ 14 ต.ค. 2024
- #paloaltonetworks #paloaltofirewall #firewall
In this 8-minute tutorial you're going to learn how to register your Palo Alto Firewall and the Microsoft Azure with each other, in order to allow single sign-on from your GlobalProtect VPN Remote Access users.
In this tutorial I’m assuming that GlobalProtect is already configured in your environment. If you haven’t configured GlobalProtect yet, check out this video first: • Palo Alto GlobalProtec...
![Palo Alto GlobalProtect VPN Configuration Step by Step [2024]](http://i.ytimg.com/vi/Dj-rjuX9I_E/mqdefault.jpg)
![Palo Alto GlobalProtect VPN Configuration Step by Step [2024]](/img/tr.png)
FREE Palo Alto Cheat Sheet in different formats and further FREE resources: netsums.com/resources
brooo i love you seriously, im so glad i found this channel, its such a gem. Thanks for your hard work, really2 appreciate it!!
Thank you for the lovely comment, I'm glad you like the videos!
This was amazing, thank you! Identity services is not something I have much experience with, coming from a networking background. This tutorial is exactly what I needed.
Glad it was helpful!
short and crispy!!!Very useful one !! expecting more in paloalto related videos keep doing
I'm glad you liked the video! I should be releasing soon more videos. Thank you for the comment.
What would be the renewal process please? Ours is about to expire and I’m looking to renew it.
I really appreciate your time for making such good content, the video was very helpful to integrate Azure auth with Paloalto.
My pleasure I could help, thank you for the nice comment!
Hi, your video is very helpful. We have successfully enabled MFA with Azure SAML auth with Palo alto. But we have one query, as we have multi tenant on Azure and in SAML Authentication we can apply only one auth profile so how can we enable MFA with Azure SAML for our different tenant for Global Protect.
Hi, thank you, and sorry for the late reply. I think what you need is an authentication sequence. You configure a SAML authentication for each tenant and add them to a sequence. I haven't tried before a sequence with SAML, but it should work for SAML as well. Let me know later if it worked! :)
amazing tutorial. do you have any video for ADFS and Palo Alto ?
Hi, thank you for your comment. No, unfortunately I still don't have any video for ADFS.
Thank you so much for valuable info.but my question is can we integrate Palo Alto with microsoft authenticator/google for MFA purpose in global protect.the first authentication will be through Ad (either on prem or aws)
Hi. Yes, you can. With AD you would probably need a radius server, I'm not sure if AD has some built in functions for MFA. I made a video about Palo Alto, Radius and MFA a while ago, maybe it can help you: th-cam.com/video/2mIuqmWP-j0/w-d-xo.htmlsi=j9nVtCMGreaL476B
With AWS you should be able to configure MFA directly there on the user authentication section, or you would need an identity provider such as okta for that.
I got it to workonce but it would never reprompt the user with MFA. I did configure the logout SAML URL but still no luck. The user logged in without using MFA.
This is great thank you so much, I tried this but I'm getting a "ssl not supported" error on the Palo landing page after I click connect on my GP client, any ideas?
Take a look at your client logs, maybe you can be directed to the right direction there. You can find the debug logs under troubleshooting. In the logs there are lots of files, start with the pan_gp_event.log and if you don't see anything, try the pangps.log.
Let me know if you could solve the problem
I'm curious how to have the certificate verification enabled.
When I import the federation metadata XML a certificate is created on the firewall. However I'm unable to modify that certificate--for example, to set it as a CA certificate, which appears to be required for this setup.
When attempting to create the Authentication Profile, the add fails because there is no Certificate Profile (the exact error is that "Validate Identity Provider Certificate is checked but no Certificate Profile is provided"). I'm unable to create a certificate profile with the auto-added certificate since it isn't marked as a CA.
I think the best way is to have a second certificate just for the requests validation, separate from the one you receive with the Metadata. I think you can even use an internal (self-signed) certificate, but I'm not 100% sure how your IdP will handle that.
Let me know if it worked for you, I would be interested. :-)
Hello RIcardo, I used your video to configure SAML authentication for my PA Lab. Everything worked fine until I used the appm and it would not let me enter my credentials, I just shows a blank screen. I know SAL is working because I can get to the portal and download software. Any ideas, why that might be happening?
Strange, no idea. Try configuring the portal (under App) to use SAML authentication with the standard browser to see if you're able to login.
Hi netsums How can we configure connect before logon with saml?
hey, can you explain to me 4:24, how to create that ethernet1/1 with that IPv4 Address?
You need to add the IP address to the interface first. You do that under Network -> Interfaces.
Very useful. Thank you very much!
You're welcome, I'm glad you liked the video!
The video needs to updated to reflect the new version of PAN OS specifically TLS/SSL profile. Thanks
Hi,
But while authentication with global protect, why it is not asked for 2FA authentication...? Any option are available to for MFA while use global protect apps.
You need to enable 2FA on Azure. This is an Azure setting.
@@netsums thank you sir 🙏🙏🙏
If we need to implement saml SSO on scale, should we follow the same procedure.
There are some things you should adapt for a production environment, like use AD groups in Azure to allow SAML, for example. Please refer to the Palo Alto documentation before rolling it out on your company for several users.
Very good , thanks
You're welcome, I'm glad you liked it.
Great tutorial! How to enable MFA everytime the user login to vpn?
Thanks! I haven't tested it before, but you should activate it directly on MS Azure, in the user section. This page explains how you can do it: www.manageengine.com/products/passwordmanagerpro/help/azure_ad_saml_based_sso_configuration.html#enablemfa
Let me know later if it worked out!
where do u get the url?
u mean the global protect gateway dns?
Which URL do you mean exactly?
How to do security policy access control for saml authenticated user groups in palo alto firewall
I am assuming you want to use the Azure groups in the security policies. For that you need to enter a user group attributes in the authentication profile, in order to be able to extract the group information from the user.
In the minute 4:00 of the video I show the authentication profile configuration. After configuring it, you can verify on the CLI if the groups are being successfully extracted from the firewall using the command "show user user-ids match-user ".
we have lsvpn setup . how satellite auth portal and gateway in saml
Hi, that's a good question, that I would need to pass for now. I haven't configured SAML with satellites yet. But I'll keep this in mind, I will plan to do a video about it.
Good job, thank you
Thank you also for the comment. :)
How do you renew an expired SAML certificate
second this
Have you tried this?
1. Delete the old certificate on the Azure SAML IdP side
2. Export the new SAML metadata XML file (which has only the new certificate) from Azure IdP
3. Import the new metadata XML file into FW through the SAML Identity Provider profile using the same profile name as there was
4. After that, navigate to Device > Certificate Management > Certificates to verify and confirm the Azure SAML IdP certificate is automatically renewed on the firewall successfully
@@netsums Yeah, I get 'failed to extract certificate'
Sorry, I can't help you there. Maybe you need to be sure you erased the old certificate from the Palo Alto firewall.
Nice video
Thank you
Electric
Can you explain how should I obtain an url, do I need to buy a domain?
Hi. You need to buy a domain if you need a domain like _.com_ . But you can get something like _.noip.com_ , for example, for free I think, if it suits your needs. You just need to login once every 30 days or something, otherwise they erase your DNS entry. Check noip.com. But for sure there are others in the Internet that offer some sort of free services.