PAN Global Protect and Trusona Integration Guide

Integrating Trusona with Palo Alto's Global Protect using SAML

By Tom Piscitell
Updated Aug 13, 2021

• 1. Introduction
• 2. Prerequisites
• 3. Create the Trusona SAML Integration
• 4. Request Beta Access
• 5. Configure SAML in Palo Alto
  • 5.1. Create a SAML signing certificate
  • 5.2. Create the SAML Identity Provider
  • 5.3. Configure an Authentication profile
• 6. Finish SAML Configuration of Trusona
• 7. Importing Palo Alto Users to Trusona
  • 7.1. Create CSV
  • 7.2. Import the Accounts
• 8. Configure Global Protect to use Trusona
• 9. Troubleshooting
  • 9.1. Users being prompted to authenticate with Trusona twice
    • 9.1.1. Portal Configuration
    • 9.1.2. Gateway Configuration

1. Introduction

Global Protect is a VPN solution from Palo Alto Networks and can be integrated directly with Trusona using our SAML Gateway. This guide will walk you through configuring Global Protect and a Trusona SAML Integration using our Dashbaord.

2. Prerequisites

Before starting ensure you have access to:

1. The Palo Alto Admin Portal
2. Access to the Trusona Dashboard

You can get access to the Trusona Dashboard by visiting dashboard.trusona.com and signing up with your Trusona mobile app.

3. Create the Trusona SAML Integration

1. Log into your Trusona account at dashboard.trusona.com
2. Locate the navigation bar on the left side of the main page, and click on the Generic SAML tab
3. Click on the Create button
4. Enter a meaningful Name for the integration. For example, “Global Protect Integration”
5. Click on the Save button
6. Find the integration you just created in the list of SAML Integartions
7. Click the Actions dropdown and click View metadata XML
8. Save this file to your computer. You will need to upload it to Palo Alto later.

4. Request Beta Access

This integration requires a beta feature of Trusona. Before continuing, please contact Trusona Support to get access to the required features by using the Contact Us button in the upper right hand corner.

5. Configure SAML in Palo Alto

Log into your Palo Alto admin console and follow the steps below to configure the SAML components of the integration. If needed, reference the Configure SAML Authentication section of the Palo Alto documentation.

5.1. Create a SAML signing certificate

1. Go to the Device tab
2. Under Certificate Management select Certificates
3. In the bottom bar, click Generate
4. For Certificate Name enter “saml-signing”
5. For Common Name enter the FQDN of the Global Protect Portal.
6. Click the dropdown for Signed by and select “GlobalProtect_CA”
7. In the Cryptographic Settings section:
8. If using RSA, ensure Number of bits is at least 2048
9. If using Eliptic curve DSA, ensure Number of bits is at least 256
10. Ensure Digest is set to “sha256”
11. Select the checkbox next to the certificate you just created
12. In the bottom bar, click Export Certificate
13. Click OK. The downloaded certificate will be uploaded to the Trusona Dashboard in a later step.

5.2. Create the SAML Identity Provider

1. Go to the Device tab
2. In the left hand navigation panel, under Server Profiles, click SAML Identity Provider
3. In the bottom bar, click Import
4. For Profile name enter “trusona”
5. For Identity Provider Metadata click Browse and select the metadata XML saved previously.
6. Ensure Validate Identity Provider Certificate is unchecked.
7. Click OK

5.3. Configure an Authentication profile

1. Go to the Device tab
2. Select Authentication Profile and then Add
3. For a Name enter “trusona-saml”
4. For Type select “SAML”
5. Select the IdP Server Profile created above (“trusona”) from the dropdown
6. Use the dropdown for Certificate for Signing Requests to select the signing certificate created above(“saml-signing”)
7. Select the Advanced tab and Add the users and groups that are allowed to authenticate via Trusona.

6. Finish SAML Configuration of Trusona

1. Log into your Trusona account at dashboard.trusona.com
2. Locate the navigation bar on the left side of the main page, and click on the Generic SAML tab
3. Click the Action button, then Edit for the SAML Integration created earlier
4. Upload the SAML signing certificated created earlier and downloaded form Palo Alto
5. Click Save

7. Importing Palo Alto Users to Trusona

To grant Trusona users access to authenticate to Palo Alto, and to ensure user information is correctly presented to Palo Alto, you will need to use the Import Accounts feature to associate Trusona users with users of our Palo Alto Global Protect VPN.

7.1. Create CSV

The first step is to create a CSV mapping Palo Alto usernames to Trusona user’s email addresses. You can use the following template to get started:

username,email
username1,user1@example.com
username2,user2@example.com
username3,user3@example.com

Copy the above to a new CSV file, and then for each user you want to grant access to, add a line to the CSV with their Palo Alto username as the first column, and the email address of their Trusona account as the second column.

7.2. Import the Accounts

1. Log into your Trusona account at dashboard.trusona.com
2. Locate the navigation bar on the left side of the main page, and click on the Generic SAML tab
3. Click the Action button, then Import Accounts for the SAML Integration created earlier
4. Click Choose File and select the CSV created in the previous step
5. Click Import Account CSV

Each time you import a set of Accounts, the Dashboard will show what actions it took for each line in the CSV. The possible outcomes are:

• Added - The account was added for the Trusona user. This means that this user is ready to authenticated
• Updated - An account already existed for this Trusona user and its username was updated to the value in this CSV
• Error - Trusona User Not Found - There is no Trusona account for this email address. Ensure the user has downloaded our mobile app and registered their email and then try again.

8. Configure Global Protect to use Trusona

1. Log into the Palo Alto admin console.
2. Go to the Network tab
3. Under Global Protect select Portals
4. Select the Global Protect portal you want to protect with Trusona.
5. Go to the Authentication tab
6. Under Client Authentication click Add
7. For Name enter “trusona”
8. For Authentication Profile select the SAML authentication profile created previously (“trusona-saml”)
9. Click OK
10. Repeat the above steps for any Global Protect Gateways you want to protect with Trusona.

9. Troubleshooting

9.1. Users being prompted to authenticate with Trusona twice

If you find users are being prompted to authenticate to Trusona twice, it is because both the Portal and Gateway authenticate the user independently. In order to avoid this, you can configure authentication override settings on the Portal and Gateway by doing the following.

9.1.1. Portal Configuration

1. Log into the Palo Alto admin console.
2. Go to the Network tab
3. Under Global Protect select Portals
4. Select the portal being protected with Trusona.
5. Add an agent config or select an existing one
6. Select Generate cookie for authentication override

9.1.2. Gateway Configuration

1. Log into the Palo Alto admin console.
2. Go to the Network tab
3. Under Global Protect select Gateways
4. Select the gateway(s) being protected with Trusona.
5. Select Client Settings, then select a client config, or create a new one
6. Select Authentication Override
7. Select Accept cookie for authentication override

---