(upbeat music) - [Instructor] Hi, I'm
Matt from Duo Security. In this video, I'm going to show you how to protect SSO logins to
Palo Alto GlobalProtect using Duo's on-premises SSO
product, Duo Access Gateway. This video will describe some
of the necessary prerequisites for this configuration, and
then show the setup process beginning with configuring
your Palo Alto Networks SSO logins to work with Duo Access Gateway. Before watching this video, please read the documentation
for this configuration at duo.com/docs/paloalto-sso. Note that in addition to
GlobalProtect SSO logins, you can also protect SSO logins to the Captive Portal or Admin UI. By protecting your SSO
Palo Alto logins with Duo, you will be able to take
advantage of features including inline self-service
enrollment, the Duo Prompt, Trusted Endpoints, and
Duo's policy engine. Note that you can also
protect Palo Alto SSO logins using Duo in tandem with services
including Microsoft AD FS, Okta, OneLogin, CAS, and Shibboleth. Reference the documentation
for information about those configurations. In addition, Duo offers
a RADIUS-based method for protecting Palo Alto
GlobalProtect VPN logins that uses our Authentication Proxy. You can learn about this configuration at duo.com/docs/paloalto. This video assumes that
you have already deployed Duo Access Gateway, also known as DAG, on a server in your DMZ. The documentation for
installing and configuring DAG is available at duo.com/docs/dag. In your DAG Authentication
Source configuration, include the appropriate attributes for your Authentication Source. Since we are using Active
Directory for this video, the attributes are mail
and sAMAccountName. If you already have attributes listed in your Authentication
Source configuration, be sure to append any of these
two that are not present. Do not remove any that
you have already added for your environment. In addition, before
setting up Duo Protection for Palo Alto Networks SSO,
download the XML metadata from the DAG admin
console's applications page. The download link is located
in the Metadata section and the file is named dag.xml. After getting these
prerequisites in place, you are ready to configure
your Palo Alto SSO to work with DAG. Log in to the Palo Alto
management interface as an administrative user. At the top of the page,
click the Device tab. On the left-hand side of the page, expand the Server Profiles section and select SAML Identity Provider. Click the Import button
at the bottom of the page. In the Profile Name field, type in Duo Access Gateway Profile. Next to Identity Provider
Metadata, click Browse. Select the dag.xml metadata
file you downloaded from the DAG admin console. Uncheck the box next to Validate Identity Provider Certificate. Leave all other options at
their default and click OK. The page will reload with the
Duo Access Gateway Profile now listed in the SAML
Identity Provider section. Next, add the Authentication Profile. On the left side of the page,
select Authentication Profile. At the bottom of the page,
click the Add button. In the Name field, type
Duo Access Gateway. On the Authentication tab, in
the Type dropdown, select SAML. Next to IdP Server
Profile, click the dropdown and select Duo Access Gateway Profile. Next to Certificate for Signing Requests, click on the dropdown
and select a certificate that will be used to sign
SAML messages to DAG. In the Username Attribute
field, type user.username. Click the Advanced tab and click Add. Select the All group. Click OK. In the top right side of the
screen, click the Commit link. Review your changes and click Commit. Next configure the Palo
Alto service you want to protect with DAG SSO. In this video, we will
protect a GlobalProtect portal and gateway with SSO. Reference the documentation
to learn how to protect the Captive Portal and Admin UI. In the Palo Alto management interface, click the Network tab at
the top of the screen. On the left-hand side of the
screen, expand GlobalProtect. Click Portals. Click on the name of the portal you want to add SSO login to. Click the Authentication tab. Select the Client Authentication
configuration you want to apply SSO to, and
then click the dropdown for the Authentication Profile. Select Duo Access Gateway. Click the Agent tab. Click the name of the Agent configuration you want to apply SSO to. On the Authentication page,
next to Save User Credentials, click the dropdown and select Yes. Under the Authentication
Override section, check the boxes next to Generate cookie
for authentication override and Accept cookie for
authentication override. Next to Cookie Lifetime,
select how much time must pass before users are asked
to authenticate again. For this example, we will
use the default of 24 hours. Using the dropdown next to
Certificate to Encrypt/Decrypt Cookie, select the
appropriate certificate. Click OK, then click OK
again to be taken back to the main screen. In the left side of the console under GlobalProtect, click Gateways. Select the Client
Authentication configuration you want to apply SSO to. Click the Authentication tab. In the entry for your
client authentication, click the dropdown for
Authentication Profile and select Duo Access Gateway. Click on the Agent tab
and click Client Settings. Click on the Gateway config
you want to add SSO to. Under the Authentication
Override section, check the boxes for Generate cookie for
authentication override and Accept cookie for
authentication override. Next to Cookie Lifetime,
select how much time must pass before users are asked
to authenticate again. We will again use the default of 24 hours. Next to Certificate to
Encrypt/Decrypt Cookie, select the same certificate
you chose previously. Click OK, then click OK
again to be taken back to the main screen. Click Commit in the top
right-hand side of the screen. Review your changes and click Commit. Now create the Palo Alto application
in the Duo Admin Panel. Log in to the Duo Admin Panel. In the left sidebar, click Applications. Then click Protect an Application. In the search bar, type in saml palo alto. Next to the entry for the
Palo Alto Application, click Protect this Application. On your new application's
properties page, in the Domain field, enter the URL of your
GlobalProtect server. Next to Palo Alto Networks
Service, select GlobalProtect. Since we are not using
any custom attributes, we do not need to check
the Custom attributes box. Click Save Configuration to generate a downloadable configuration file. Click the Download your
configuration file link to obtain your Palo Alto
Networks application settings as a JSON file. Note that this file contains information that uniquely identifies
this application to Duo. Secure this file as you
would any other sensitive or password information. Return to the Applications
page of the DAG Admin Console. In the Add Applications
section of the page, click Choose File, and select
the Palo Alto Networks SAML Application JSON file you downloaded from the Duo Admin Panel. Click the Upload button. Your SAML application is now added to DAG. Palo Alto Networks' embedded
browser does not consistently keep the same user agent during
the entire authentication. User agent binding must be
disabled to avoid issues. In the DAG Admin Console,
navigate to Settings. Under Session Management,
uncheck the box next to User agent binding. Click Save Settings. Finally, verify that you have configured your settings correctly. Open your GlobalProtect VPN client and attempt to connect to your portal. A window will pop up redirecting you to the Duo Access Gateway Login page. Enter the primary
directly logon information of a user enrolled in Duo. After completing primary authentication, the Duo Prompt for the Duo
Access Gateway login appears. From the prompt, the
enrolled user can select Send Me a Push, Call
Me, or Enter a Passcode to complete two-factor authentication. In this example, we will use Duo Push as a user has already installed and activated Duo Mobile
on their smartphone. They open the notification
on their smartphone, check the contextual
information to confirm the login is legitimate, and tap the
green button to accept. You have successfully protected Palo Alto Networks SSO with Duo.