Step-by-Step Guide: Setting Up Azure SAML Authentication for GlobalProtect Portal and Gateway

Objective

This guide provides detailed instructions to configure Azure SAML authentication for Palo Alto GlobalProtect Portal and Gateway, enabling secure remote access via SAML-based SSO.

Prerequisites

• Admin access to Azure Portal and Palo Alto Firewall.

• GlobalProtect Portal and Gateway preconfigured with basic settings (IP/FQDN, certificates, etc.).

• A valid Azure AD subscription.

Part 1: Configure Azure SAML Application

Step 1: Create the Enterprise Application in Azure

1. Log in to the Azure Portal (portal.azure.com).

2. Navigate to All Services > Enterprise Applications.
   

   

   
   

3. Click + New application > + Create your own application.

   • Name: Enter Palo Alto GlobalProtect.
     

     

   • Select Integrate any other application you don’t find in the gallery.

   • Click Create.
     

     
   
   
   
   

Step 2: Configure SAML Settings

1. Go to the new application’s Single sign-on tab.

2. Select SAML as the method.
   

   

   
   
   
   

Step 3: Configure Basic SAML Settings

1. Click Edit under Basic SAML Configuration.

2. Enter the following details (use either FQDN or IP address):

   • Identifier (Entity ID):

     
     

     https://<FQDN>:443/SAML20/SP OR https://<IP-address>:443/SAML20/SP

   • Reply URL (Assertion Consumer Service URL):

     
     

     https://<FQDN>:443/SAML20/SP/ACS OR https://<IP-address>:443/SAML20/SP/ACS

   • Sign-on URL:

     
     

     https://<FQDN> OR https://<IP-address>

   • Relay State: Leave blank.
     

     
   
   

Step 4: Download Federation Metadata XML

1. Under SAML Signing Certificate, click Download next to Federation Metadata XML.

   • ⚠️ Important: Ensure only one active certificate exists. Delete inactive certificates to avoid authentication failures.
     

     

Part 2: Configure Palo Alto Firewall

Step 1: Import SAML Identity Provider Metadata

1. Log in to the Palo Alto Firewall.

2. Navigate to Device > SAML Identity Provider > Import.

3. Upload the Federation Metadata XML file downloaded from Azure.

   • Uncheck: Validate Identity Provider Certificate (unless Azure’s certificate is pre-uploaded).
     

     

     
     

     

Step 2: Create an Authentication Profile

1. Go to Device > Authentication Profile.

2. Click Add and configure:

   • Name: e.g., Azure-SAML-GlobalProtect.

   • Type: SAML.

   • IdP Server Profile: Select the imported SAML Identity Provider.

3. Under Advanced > Allow List:

   • Select Allow All (or restrict to specific groups if needed).

Step 3: Apply Authentication Profile to GlobalProtect

1. For the Portal:

   • Navigate to Network > GlobalProtect > Portals.

   • Edit your Portal configuration > Agent > Authentication.

   • Select the Azure-SAML-GlobalProtect profile.

2. For the Gateway:

   • Go to Network > GlobalProtect > Gateways.

   • Edit your Gateway configuration > Client Authentication.

   • Select the Azure-SAML-GlobalProtect profile.
     

     

Part 3: Test the Configuration

1. Launch GlobalProtect and enter the Portal FQDN/IP.

2. You should be redirected to Azure’s SAML login page.

3. After successful authentication, the client will connect to the Gateway.
   

   

Troubleshooting Tips

• Certificate Mismatch: Ensure only one certificate is active in Azure.

• URL Typos: Double-check FQDN/IP and port numbers in Azure SAML settings.

• Firewall Logs: Check Monitor > Logs > Authentication for errors.

Conclusion

You’ve now integrated Azure SAML authentication with GlobalProtect, enabling seamless and secure remote access. For advanced configurations (e.g., group restrictions), refer to Palo Alto’s official documentation.

Need help? Leave a comment below! 🚀