How to configure SAML auth - Dedicated Hosted VPN portals

This guide is intended to provide high-level overview for configuring SAML authentication from the client's environment to be used by the firewall for VPN authentication. For further information, refer to the official documentation of the identity provider.

There are two main providers that we will cover in this article:

1. Microsoft 365

2. Google Workspace

Azure:

Log in to customers M365 tenant with an admin account at portal.azure.com
Navigate to Home > Enterprise Application
Add new enterprise application > Search for "Palo Alto Networks - Global Protect" and select Create App
Once the application is created, select "Manage" from the left column
Click Single Sign On and select SAML as the option
Edit Basic SAML Configuration form
1. Click Add Identifier: https://cust.vpnsvcs.com/SAML20/SP (i.e https://ostra.vpnsvcs.com/SAML20/SP)
2. Click Add Reply URL: https://cust.vpnsvcs.com/SAML20/SP/ACS (i.e https://ostra.vpnsvcs.com/SAML20/SP/ACS)
3. Enter a sign on URL: https://cust.vpnsvcs.com:443/ (i.e https://ostra.vpnsvcs.com:443/)
4. Click Save at the top of the Basic SAML config form.
Download the Federation Metadata XML file and save to customer file in ostra file server
Navigate to Users and Groups in the left column
1. Add user/group > Click None Selected under Users
2. select all users who will be connecting to Global Protect
3. Click Assign to complete and save.

Google Workspace:

Importing SAML idp profile

Navigate to Device > Server Profiles > SAML Identity Provider

Click Import at the bottom of the screen

Locate the federation metadata xml file

uncheck Validate IDP cert

click OK

Creating Auth Profile

Navigate to authentication profiles (Device > Auth Profiles)

Select Add at bottom of screen

Authentication tab

type SAML
idp server profile: cust iDP profile just created

Advanced Tab

Allow list: all

click OK to save