PAN Global Protect and Trusona Integration Guide

Integrating Trusona with Palo Alto's Global Protect

What’s in this doc

Introduction

Global Protect is a VPN solution from Palo Alto Networks and can be integrated with Trusona to provide either a password less login experience, or a secure additional factor when authenticating with usernames and passwords. A passwordless primary login experience can be accomplished with the use of SAML and a Single Sign-On (SSO) solution that is integrated with Trusona. In this guide, will show how this can be accomplished using Active Directory Federation Services (ADFS). Alternatively, with the use of the Trusona RADIUS Appliance, you can authenticate users against Active Directory via LDAP, and use Trusona as a secondary factor in one integration.

Primary authentication with Trusona

Primary authentication with Trusona can be achieved by integrating Palo Alto Global Protect via SAML with an SSO solution that supports Trusona. When configured in this manner, users will see our Trusona Gateway page when logging in to the Global Protect client. There they will be presented with a QR code that they will scan with their Trusona app. After scanning, a challenge will be issued to the phone for authentication. The users will also have the option to be remembered by the gateway so they can skip the QR code scan and immediately receive the push notification.

Authentication Flow

The following diagram illustrates the authentication flow when Trusona is used for primary authentication in Global Protect. In the diagram, Active Directory Federated Services (ADFS) is used an the SSO solution that integrates with Trusona.

Trusona RADIUS LDAP flow
Figure 1. Primary authentication flow with Trusona

Configuring Global Protect with ADFS and Trusona

The following products and services were used to create this guide:

  • Windows Server 2018
  • Active Directory and ADFS 2016
  • Palo Alto VM-Series running PAN-OS 9.0.0

Before you start, make sure you have received your SAML Metadata URL from Trusona. You will need this to complete the setup.

You'll need your SAML Metadata URL from Trusona for the following steps.

First, follow the steps below to configure ADFS with Trusona:

Install and configure ADFS

Refer to the deployment guide for detailed instructions.

Save the provided metadata XML

Browse to the SAML Metadata URL provided by Trusona and save it to your local machine.

Configure Trusona as a Claims Provider Trust

  1. In the ADFS Management console, go to AD FS > Claims Provider Trust
  2. In the Action menu, select Add Claims Provider Trust
  3. Click “Start”
  4. Select Import data about the claims provider from a file
  5. Click “Browse” and select the Trusona Metadata file downloaded above.
  6. Click “Next”
  7. Enter a Display Name and click “Next”
  8. Complete the wizard by clicking “Next” then “Close”

Configure sending of Assertion Consumer URL

Using PowerShell, configure ADFS to send the Assertion Consumer URL in the SAML request to Trusona with the following command:

Get-AdfsClaimsProviderTrust -Identifier 'https://gateway.trusona.net/saml/metadata' | Set-AdfsClaimsProviderTrust -SamlAuthenticationRequestParameters Url

Create Claim Rule “Pass all Trusona Claims”

  1. Right click on the created Claims Provider Trust and select Edit Claim Rules.
  2. Click “Add Rule…”
  3. For Claims rule template select “Send Claims Using a Custom Rule”
  4. Click “Next”
  5. Set Claim rule name to “Pass all Trusona claims”
  6. Enter the following for Custom Rule:
    c:[] => issue(claim = c);
    
  7. Click “Finish”

Create Claims Rule “Resolve AD Attributes”

  1. Right click on the created Claims Provider Trust and select Edit Claim Rules.
  2. Click “Add Rule…”
  3. For Claims rule template select “Send Claims Using a Custom Rule”
  4. Click “Next”
  5. Set Claim rule name to “Resolve AD Attributes”
  6. Enter the following for Custom Rule:
    c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"]
    => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "temp:samaccountname", "http://schemas.xmlsoap.org/claims/Group"), query = "mail={0};userPrincipalName,sAMAccountName,tokenGroups; DOMAIN\adfsmsa", param = c.Value);
    
  7. In the Custom Rule replace DOMAIN in the DOMAIN\adfsmsa with the name of your AD Domain.
  8. Click “Finish”

Create a Claims Rule to prepend the username with the AD domain

  1. Right click on the created Claims Provider Trust and select Edit Claim Rules.
  2. Click “Add Rule…”
  3. For Claims rule template select “Send Claims Using a Custom Rule”
  4. Click “Next”
  5. Set Claim rule name to “Transform WindowsAccountName”
  6. Enter the following for Custom Rule:
    c:[Type == "temp:samaccountname"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Value = "DOMAIN\" + c.Value);
    
  7. In the Custom Rule replace DOMAIN in the DOMAIN\ with the name of your AD Domain.
  8. Click “Finish”

Download the SAML Metadata for ADFS

  1. In the ADFS Management Console go to Service > Endpoints.
  2. In the list, under Metadata, find the Federation Metadata type URL
  3. Browse to that URL and save the file to your local machine.

Provide the SAML Metadata XML file to Trusona

Complete the integration by providing the SAML metadata XML file to Trusona.

Configuring Global Protect

Now, that the Trusona and ADFS integration is complete, we can configure GlobalProtect.

  1. Log into the Palo Alto Administrative UI
  2. Go to Network > Server Profiles > SAML Identity Provider and click “Import”
  3. Enter a Profile Name for the SAML Identity Provider Server Profile
  4. Next to Identity Provider Metadata click “Browse…” and select the downloaded ADFS metadata file from above
  5. Uncheck Validate Identity Provider Certificate
  6. Select the SAML Identity Provider you just created and ensure:
    1. Validate Identity Provider Certificate is unchecked
    2. Sign SAML Message to IDP is checked
  7. Click “OK”
  8. Go to Device > Authentication Profile and click “Add”
  9. Enter a Name for the Authentication Profile
  10. For Type select SAML
  11. Select the IdP Server Profile created above
  12. Select a for certificate for Certificate for Signing Requests. For more information on creating a certificate in Palo Alto, see the Palo Alto documentation
  13. Under User Attributes in SAML Messages from IDP configure the following:
    1. Username Attributes: sAMAccountName
    2. Group Attributes: Groups
  14. Go to the Advanced tab
  15. In the Allow List add one or more groups that will be allowed to use this Authentication Profile. If you are unsure of what to enter, use “all”

Configuring the ADFS Relying Party trust

Export the SAML metadata

  1. Go to Device > Authentication Profile
  2. In the Authentication column, click “Metadata” for the Authentication Profile we created above.
  3. For Service select “global-protect”
  4. Select your Virtual System
  5. Select the hostname of your system from the IP or Hostname dropdown.
  6. Click “OK”. This will download a file named <profile>.xml where <profile> is the name of your Authentication Profile.

Import the metadata

Next you’ll need to import the metadata as a Relying Party Trust in ADFS.

  1. Open the ADFS Management Console and go to Relying Party Trusts
  2. In the Action menu select Add Relying Party Trust…
  3. Select Claims aware and click “Start”
  4. Select Enter data about the relying party manually
  5. Enter a meaningful Display Name and any Notes if desired.
  6. Click “Next”
  7. Click “Next”
  8. Check Enable support for the SAML 2.0 WebSSO Protocol
  9. Enter the AssertionConsumerService URL from the exported Palo Alto SAML Metadata as the Relying party SAML 2.0 SSO service URL. It should look like https://<palo-alto-domain>/SAML20/SP/ACS
  10. Click “Next”
  11. Enter the entityID from the exported Palo Alto SAML Metadata as the Relying party trust identifier and click “Add”
  12. Click “Next”
  13. Select Permit everyone and click “Next”
  14. Click “Next” and then “Close” to finish the wizard

Claim Issuance Policy

Finally, you’ll configure the Claim Issuance Policy for the Relying Party Trust that was just created.

  1. Select the Relying Party Trust that was just created, then click Edit Claim Issuance Policy
  2. Click “Add Rule”
  3. Select Send Claims Using a Custom Rule in the Claim rule template dropdown and click “Next”
  4. Enter “Transform Session ID” for the Claim rule name
  5. Enter the following for Custom rule
    c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
     && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"]
     => add(store = "_OpaqueIdStore", types = ("http://mycompany/internal/sessionid"), query = "{0};{1};{2};{3};{4}", param = "useEntropy", param = c1.Value, param = c1.OriginalIssuer, param = "", param = c2.Value);
    
  6. Click “Finish”
  7. Click “Add Rule”
  8. Select Send Claims Using a Custom Rule in the Claim rule template dropdown and click “Next”
  9. Enter “NameID to Transient Identifier” for the Claim rule name
  10. Enter the following for Custom rule
    c:[Type == "http://mycompany/internal/sessionid"]
     => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");
    
  11. Click “Finish”
  12. Click “Add Rule”
  13. Select Send Claims Using a Custom Rule in the Claim rule template dropdown and click “Next”
  14. Enter “Send sAMAccountName” for the Claim rule name
  15. Enter the following for Custom rule
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
     => issue(Type = "sAMAccountName", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
    
  16. Click “Finish”
  17. Click “Add Rule”
  18. Select Send Claims Using a Custom Rule in the Claim rule template dropdown and click “Next”
  19. Enter “Send Group Membership” for the Claim rule name
  20. Enter the following for Custom rule
    c:[Type == "http://schemas.xmlsoap.org/claims/Group"]
     => issue(Type = "Groups", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
    
  21. Click “Finish”

Final Global Protect setup

The ADFS configuration is complete, and we can return to Palo Alto to finish the setup.

  1. Go to Network > GlobalProtect > Portals
  2. Select the portal you want to use with Trusona
  3. Go to the Authentication tab
  4. Under Client Authentication, click “Add”
  5. Enter a Name and select the Authentication Profile created previously
  6. Go to the Agent tab
  7. Select your Agent Config from the list
  8. Ensure Generate cookie for authentication override is set.
  9. Select a Certificate to Encrypt/Decrypt Cookie
  10. Click “OK”
  11. Click “OK”

Finally, we apply the Authentication Profile to the GlobalProtect Gateway:

  1. Go to Network > GlobalProtect > Gateways
  2. Select the gateway you want to use with Trusona
  3. Go to the Authentication tab
  4. Under Client Authentication, click “Add”
  5. Enter a Name and select the Authentication Profile created previously
  6. Go to the Agent tab
  7. Go to the Client Settings tab
  8. Select your Agent Config from the list
  9. Ensure Accept cookie for authentication override is set.
  10. Select the same certificate for Certificate to Encrypt/Decrypt Cookie that was used in the portal above.
  11. Click “OK”
  12. Click “OK”

Now you can log into Palo Alto Global Protect using Trusona!

Secondary Authentication with Trusona

If you are looking for a way to add a secure additional factor of authentication to Global Protect, you can use Trusona’s RADIUS Appliance with its LDAP mode to authenticate users against Active Directory and Trusona. With this setup, users will enter their AD credentials into the Global Protect client, and then receive a challenge on their mobile device that they must complete with the Trusona app before being authenticated.

Authentication flow

The following diagram illustrates the authentication flow when using Trusona as a secondary factor along with username and password.

Trusona RADIUS LDAP flow
Figure 2. Secondary authentication flow with Trusona

Configuring Global Protect with Trusona RADIUS

The following products and services were used to create this guide:

  • Windows Server 2018
  • Active Directory 2018
  • Palo Alto VM-Series running PAN-OS 8.1.0
  • Trusona RADIUS Appliance v1.0.0

Before you begin, make sure you have received the following items from Trusona:

  • Trusona RADIUS Appliance OVA Template
  • Trusona RADIUS Appliance Installation Guide
  • Trusona API Token and Secret

First, setup the Trusona RADIUS Appliance:

  1. Deploy the OVA template into your virtual environment, following the instructions for your virtualization solution.
  2. Follow the Quick Start guide in the Trusona RADIUS Appliance Installation Guide. This will include configuring networking and the radius service on the appliance. You will need your Trusona API Token and Secret.
  3. Configure the Trusona RADIUS Appliance for LDAP Mode by following the setup instructions under LDAP Mode in the Trusona RADIUS Appliance Installation Guide.

Then, in Palo Alto, create an Authentication Profile that uses the Trusona RADIUS Appliance:

  1. Log into the Palo Alto Administrative UI
  2. Go to Network > Server Profiles > RADIUS and click “Add”
  3. Enter a Profile Name for the RADIUS Server Profile
  4. Under Server Settings configure the following values:
    1. Timeout (sec): 90
    2. Retries: 1
    3. Authentication Protocol: PAP
  5. Under Servers click “Add”, then configure the following values:
    1. Name: TrusonaRadius
    2. RADIUS Server – The IP Address of the Trusona RADIUS Appliance
    3. Secret – The shared secret configured in the Trusona RADIUS Appliance
    4. Port – 1812
  6. Click “OK”
  7. Go to Device > Authentication Profile and click “Add”
  8. Enter a Name for the Authentication Profile
  9. For Type select RADIUS
  10. Select the Server Profile created above.
  11. Go to the Advanced tab
  12. In the Allow List add one or more groups that will be allowed to use this Authentication Profile. If you are unsure of what to enter, use “all”

Now that we have an Authentication Profile configured, we can apply it to our Portal:

  1. Go to Network > GlobalProtect > Portals
  2. Select the portal you want to use with Trusona
  3. Go to the Authentication tab
  4. Under Client Authentication, click “Add”
  5. Enter a Name and select the Authentication Profile created previously
  6. Go to the Agent tab
  7. Select your Agent Config from the list
  8. Ensure Generate cookie for authentication override is set.
  9. Select a Certificate to Encrypt/Decrypt Cookie
  10. Click “OK”
  11. Click “OK”

Finally, we apply the Authentication Profile to the GlobalProtect Gateway:

  1. Go to Network > GlobalProtect > Gateways
  2. Select the gateway you want to use with Trusona
  3. Go to the Authentication tab
  4. Under Client Authentication, click “Add”
  5. Enter a Name and select the Authentication Profile created previously
  6. Go to the Agent tab
  7. Go to the Client Settings tab
  8. Select your Agent Config from the list
  9. Ensure Accept cookie for authentication override is set.
  10. Select the same certificate for Certificate to Encrypt/Decrypt Cookie that was used in the portal above.
  11. Click “OK”
  12. Click “OK”