GlobalProtect Clientless VPN SAML SSO with Okta

Background:

The goal of this document is to configure SAML SSO with Okta to GlobalProtect Clientless VPN

Diagram

Service Provider (SP) – Palo Alto Networks Firewall

Identity Provider (IdP) – Okta

Application – GlobalProtect Clientless VPN

Okta Documentation for SAML configuration for GlobalProtect

http://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Palo-Alto-Networks-GlobalProtect.html

192.168.55.20 – GlobalProtect Portal and Clientless VPN Hostname

Okta – https://dev-824646.oktapreview.com

Applications configurations: (Admin > Applications > Add Application )

Search for the Palo Alto Networks GlobalProtect Application > Add

Okta Add Application Search

Base URL:

https://GlobalProtectPortalAddress/SAML20/SP/ACS

Okta Application Configuration

Applications configurations: (Admin > Applications > Palo Alto Networks - GlobalProtect > Sign On)

Okta Sign On Configuration

Download metadata to desktop

Okta Download Metadata

Palo Alto Networks Firewall

Server configurations: (Device tab > Server Profiles > SAML Identity Provider )

Import Okta metadata

(Note: When you have self signed Certificate from IDP, you won't be able to enable Validate Identity Provider Certificate. Please make sure that you are on PAN-OS 8.1.15, 9.0.9, 9.1.3 or later to mitigate exposure to https://security.paloaltonetworks.com/CVE-2020-2021 ).

PAN-OS SAML IdP Profile 1

PAN-OS SAML IdP Profile 2

Authentication configurations: (Device tab > Authentication Profile )

PAN-OS Authentication Profile

GlobalProtect Portal configurations: (Network tab > GlobalProtect > Portals

GlobalProtect Portal Authentication = SAML

PAN-OS GlobalProtect Portal Auth

GlobalProtect Clientless VPN Configuration

PAN-OS GlobalProtect Clientless VPN Config

Goto GlobalProtect Clientless VPN

https://192.168.55.20

Redirects to Okta to authenticate. Okta sends SAML assertion to firewall.

Okta Login Page

GlobalProtect Clientless VPN Homepage

System Logs: (Monitor tab > System )

PAN-OS System Logs

How-To publish GlobalProtect Clientless VPN app in user Okta Portal with SSO

We don’t support IdP initiated workflow. As a workaround, use the Okta Bookmark App

Applications configurations: (Admin > Applications > Add Application )

Search for the Bookmark App > Add

Okta Add Bookmark App

URL: https://GlobalProtectPortalAddress/global-protect/portal/portal.esp

Okta Bookmark App Configuration

Applications configurations: (Admin > Applications > Palo Alto Networks - GlobalProtect > General )

Hide the Palo Alto Networks - GlobalProtect SAML application to users

Okta Hide App

Log-in to Okta portal – https://mycompany.okta.com

Okta User Portal 1

Okta User Portal 2