PAN Global Protect, AzureAD and Trusona Integration Guide

Integrating Trusona with Palo Alto's Global Protect via AzureAD

What’s in this doc

Introduction

Global Protect is a VPN solution from Palo Alto Networks that can leverage your existing Azure Active Directory (AzureAD) integration with Trusona to provide a consistent login experience across your enterprise. This guide will walk you through configuring Palo Alto Global Protect to use SAML for authentication with an AzureAD tenant that is configured to use Trusona for Conditional Access.

Before You Begin

Before you begin, make sure your AzureAD tenant has been integrated with Trusona via Conditional Access. For instructions, see our guide.

Add Palo Alto Networks - Global Protect to AzureAD

  1. Log in to your Azure portal, and go to Azure Active Directory
  2. Select Enterprise Applications
  3. Click “New Application”
  4. Under Add from the gallery search for “Palo Alto - Global Protect”
  5. Select “Palo Alto - Global Protect” from the search results

After adding the application, you will be taken to the Getting Started page for Palo Alto - Global Protect

Configure SSO for Palo Alto - Global Protect

  1. Select Configure single sign-on (required)
  2. Select SAML as the SSO method
  3. Click the edit button for Basic SAML Configuration
  4. Enter https://<your-paloalto-hostname>:443/SAML20/SP for the Identifier (Entity ID)
  5. Enter https://<your-paloalto-hostname>:443/SAML20/ACS for the Reply URL (Assertion Consumer Service URL)
  6. Enter https://<your-paloalto-hostname>/ for the Sign on URL
  7. Click “Save” at the top

Download the Federation Metadata XML

  1. Under SAML Signing Certificate next to Federation Metadata XML click “Download”
  2. Save this file for later. It will need to be uploaded to Palo Alto

Configuring SAML in Palo Alto

  1. Log into the Palo Alto Administrative UI
  2. Go to Device > Server Profiles > SAML Identity Provider and click “Import”
  3. Enter a Profile Name for the SAML Identity Provider Server Profile
  4. Next to Identity Provider Metadata click “Browse…” and select the downloaded metadata file from above
  5. Uncheck Validate Identity Provider Certificate
  6. Click “OK”
  7. Go to Device > Authentication Profile and click “Add”
  8. Enter a Name for the Authentication Profile
  9. For Type select SAML
  10. Select the IdP Server Profile created above
  11. Select a certificate for Certificate for Signing Requests. For more information on creating a certificate in Palo Alto, see the Palo Alto documentation
  12. Go to the Advanced tab
  13. In the Allow List add one or more groups that will be allowed to use this Authentication Profile. If you are unsure of what to enter, use “all”

Configure Global Protect

  1. Go to Network > GlobalProtect > Portals
  2. Select the portal you want to use with Trusona
  3. Go to the Authentication tab
  4. Under Client Authentication, click “Add”
  5. Enter a Name and select the Authentication Profile created previously
  6. Go to the Agent tab
  7. Select your Agent Config from the list
  8. Ensure Generate cookie for authentication override is set.
  9. Select a Certificate to Encrypt/Decrypt Cookie
  10. Click “OK”
  11. Click “OK”

Finally, we apply the Authentication Profile to the GlobalProtect Gateway:

  1. Go to Network > GlobalProtect > Gateways
  2. Select the gateway you want to use with Trusona
  3. Go to the Authentication tab
  4. Under Client Authentication, click “Add”
  5. Enter a Name and select the Authentication Profile created previously
  6. Go to the Agent tab
  7. Go to the Client Settings tab
  8. Select your Agent Config from the list
  9. Ensure Accept cookie for authentication override is set.
  10. Select the same certificate for Certificate to Encrypt/Decrypt Cookie that was used in the portal above.
  11. Click “OK”
  12. Click “OK”