Palo Alto GlobalProtect SAML Single Sign-On with Azure [in 8 minutes]

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

at the end of this 8 minute video You're gonna be able to register your Palo Alto file and the Microsoft Asia with each other in order to allow single sign-on from your Global protect VPN remote access users [Music] hi my name is Ricardo and for this tutorial I'm gonna assume that you already have Global protect configure in your environment it's not the case and you need some help configuring globalprotect here's a link to a video that can help you check it out as a quick recap I'm using my file interface ethernet one one to configure my portal and external Gateway for the single sign-on I'm going to use xaml so let's first configure Azure to accept the file registration so after logging into Azure you need to use the search on top of the screen to search for Enterprise applications let's add in a new application and the application we're looking for is Palo Alto networks Global protect just click on it if you want to change the name go ahead I'm just going to leave like this and click on create on the bottom of the screen after the application is created click on the menu single sign-on and choose Samo as the method now we need to set the basic saml configuration click on edit on the right side we need to enter three parameters first we enter our URL as shown on the pattern below copy the URL on top of the page you need to add an identifier I'll just paste the URL and add the string in the end as shown in the pattern just below I'll do the same for the reply URL for the identifier and reply URL we can't forget to add the port 443 after that we can save the configuration now we will download the Federation metadata XML file under sample certificates the last thing we need to do is to Define which users are allowed to perform the Samo Authentication depending on your Azure license you can add active directory groups since I'm using a trial license I can only add users for this tutorial I'll assign the user GP user and that's all we need to do in azure so let's go to the firewall now we are going to import the xaml configuration that we downloaded from the Azure portal under device SEMO identify provider click on import now let's give a name for the profile and find the XML file we exported earlier for this tutorial I'm not going to verify the Azure certificate but whenever configuring in production please keep the certificate validation active now we need to add a new authentication profile in order to use it on the portal and Gateway I'll just call the profile xaml the type is of course Samo and I'll select the same old identity provider we just created under Advanced I'll just allow all users since I'm already regulating on Microsoft Azure the users that are allowed to authenticate now in the Border engagement configurations we need to choose the new authentication profile after that you can commit your configuration now you're going to test the xaml configuration I have a remote windows client that's connected to the internet let's first log into our portal so my URL is vpn.netsamps.com and you can see that the URL gets forward to login that.microsoftonline.com I'm gonna choose the user gpuser at netsums.com to connect to the portal that's the user we gave permission on Azure to use the same Authentication enter the password you see that we want to stay signed in you can see that Microsoft redirects us back to our portal if we take a look at office.com now and I click on sign in you can see that the gpuser doesn't need to enter its credential anymore the user is already signed in now I'm gonna try the opposite I signed out of my user and I'm going to sign in again using azure enter the username I select my username the same one gpuser at ad.netsums.com and I sign in it's asking for my two-factor Authentication I allow my login on my smartphone now let's try to sign in using our globalprotect app so when I try to connect to vpn.netsums.com using my globalprotect app I get redirected from the app to the browser and the browser opens a new window but it doesn't ask me for my user credentials it just asks back if I want to open Global protect to use my login credentials the one that I used before on azure if you want you can check the box always allow vpn.sums.com to open links of this type and click on open Global protect and then you won't ask you anymore and then you can see my Global protect app is trying to connect to the best available Gateway so it gets connected without me having to enter again my user credentials if you go back to the file under monitor globalprotect you can see some information about the login from the user more information regarding Istanbul you can see under systems so if you want to take a look at the file for logs you can go either to Global protect or to systems both of them are going to show you some information if you're having some problems connecting with Samo but as I hold the configuration is really straightforward so guys we did manage to finish in less than eight minutes if you got some value from the video just hit the like button if you want you can subscribe to the channel and here's a video that can help you if you need some help configuring globalprotect and I will see you in the next one bye

Info

Channel: NETSums

Views: 16,991

Rating: undefined out of 5

Keywords: Palo Alto Firewall, palo alto firewall training, palo alto firewall globalprotect, palo alto firewall globalprotect saml, palo alto firewall microsoft azure, palo alto azure

Id: knEi2TCdp3s

Channel Id: undefined

Length: 7min 46sec (466 seconds)

Published: Thu Dec 15 2022