Palo Alto VeridiumID Saml integration

We’ve managed to configure a successful integration between VeridiumID 3.2 version and Palo Alto v10.2.2. SAML authentication is working both at Palo Alto admin dashboard level and at Global Protect (VPN) level.

The configuration procedure is described below:

Import idp signing certificate

This step is applies to both admin dashboard access and VPN access procedures.

  1. In order to import the idp signing certificate, access the Device->Certificates->Device certificates menu, and click on Import in the bottom part of the page:

image-20220831-120222.png

2. Assign a name for the certificate enrty, import the certificate and the private key and set an import passphrase:

image-20220831-120548.png

3. Click on Ok to finish the import process.

Admin dashboard SAML integration

  1. Define the idp inside the PaloAlto admin interface by accessing Device->Server profiles->SAML Identity Provider menu and click on Import:

    image-20220831-121305.png

2. Assign a name, select the VeridiumID metadata file and click on OK.

image-20220831-121707.png

3. Review the settings by clicking on the newly defined idp and make sure the binding methods are correct. If not, change them accordingly:

image-20220831-122333.png

4. Next you’ll have to create an authentication profile. For this, access the Device->Authentication profile menu and click on Add to add a new one:

image-20220831-124423.png

5. Set the type as SAML, assign a name, select the imported idp signing certificate in the Certificate for signing requests field and then select a certificate profile (or create one). In order to avoid trust related errors on clients, you can use a non self-signed certificate for this step. Click Ok to finish.

For testing purposes, under the Advanced tab we chose All:

image-20220831-144741.png

6. You can extract the admin dashboard service provider metadata at this point. In the Authentication profile list click on the metadata link corresponding the the profile created at step 5:

image-20220831-125401.png

7. Select management as service, then IP or hostname in the Type section and fill in the correct ip or hostname value:

image-20220831-130248.png

Click OK to save the metadata file.

8. Access the Veridiumid admin dashboard and create a new SAML application as follows:

image-20220831-130629.png

9. Go back to Palo Alto admin dashboard and access the Device->Setup->Management menu. Click on the gear icon next to Authentication settings section:

image-20220831-131709.png

10. Select the authentication profile created at step 4, select or create a certificate profile, then click OK to save:

image-20220831-132926.png

11. Create an admin account by accessing the Device->Administrators menu. The name must be the same as the username provided by the SAML idp. Also, you must select the authentication profile created at step 4 and also Device administrator under Administrator Type section:

image-20220831-134431.png

12. Commit all the changes by clicking the Commit button in the upper right corner. Next time you will access the admin dashboard, a Use Single Sign-On link should appear in the login window:

image-20220831-134757.png

Click on it, then enter the admin username created at step 11 and click on Continue:

image-20220831-134859.png

Follow the on-screen instructions to finish the authentication process.


Global Protect (VPN) SAML integration


  1. The first two steps are the same (aside from assigning a different name to the idp definition).

  2. On the idp definition part, configure the options like in the below example:

    image-20220831-142611.png

Notice that the Identity Provider SSO URL corresponds to the Shibboleth Redirect endpoint and, also, the binding method needs to be Redirect.

3. Next you’ll have to create an authentication profile. For this, access the Device->Authentication profile menu and click on Add to add a new one:

image-20220831-143327.png

4. Set the type as SAML, assign a name, select the imported idp signing certificate in the Certificate for signing requests field and then select a certificate profile (or create one). Click Ok to finish:

image-20220831-143526.png

For testing purposes, under the Advanced tab we chose All:

image-20220831-144741.png

5. You can extract the admin dashboard service provider metadata at this point. In the Authentication profile list click on the metadata link corresponding the the profile created at step 4:

image-20220831-145416.png

6. Select the ip address of the interfarce associated to the vpn and click Ok:

image-20220831-150758.png

7. Go to VeridiumID dashboard and create a SAML application for GlobalProtect using the metadata file obtained at the previous step as follows:

image-20220831-150957.png

8. Next you’ll have to add a new Gateway for VPN purporses. For this, access the Network->Gateways menu and click on Add to add a new Gateway:

image-20220831-152830.png

9. In the General tab, set a name, Interface for client connection and an ipv4 address:

image-20220901-101716.png

10. In the Authentication tab, select a SSL/TLS Service Profile. It is recommended to use a certificate issued from a trusted CA, otherwise client connection will fail. Select also a Certificate profile (idp signing certificate) and add a new Client authentication setting by clicking on Add:

image-20220901-102254.png

11. Set a Name, Authentication Profile (created at step 3) and select Yes in the Allow Authentication with Credentials OR Client Certificate:

image-20220901-102415.png

Click OK to save the settings.

12. Under the Agent tab, in the Tunnel Settings section, enable Tunnel Mode:

image-20220901-103219.png

13. In the Client Settings tab click on Add to add a new config:

image-20220901-103328.png

14. For testing purposes we have chosen Any for SOURCE USER and OS:

image-20220901-103734.png

15. Configure a client IP Pool from the IP Pools tab:

image-20220901-103822.png

16. [Optional] enable Split Tunnel:

image-20220901-103939.png

and configure a DNS server to be assigned to the client:

image-20220901-104017.png

Click on OK to save, then click again on Ok to save the Gateway definition and commit the changes.

17. To allow user to download the vpn client from the server, you can configure a captive portal by accessing the Network->GlobalProtect->Portals menu and click on Add:

image-20220901-104412.png

18. Under the General tab, set a Name, an Interface on which the portal will listen and an IPv4 Address:

image-20220901-104625.png

19. For the Authentication part, repeat step 10.

20. Under the Agent tab click on Add to add a new Agent config:

image-20220901-105144.png

21. Set a Name in the Authentication tab:

image-20220901-105305.png

22. For testing purposes, select Any in the Config Selection Criteria/ User/User Group section:

image-20220901-105419.png

23. Configure a new Internal Gateway by clicking Add in the Internal Gateways section:

image-20220901-105540.png

24. Set a Name and the ip address of the internal gateway:

image-20220901-105755.png

Click OK to save the settings and commit the modifications at OS level.

25. Test the settings:

  • Upon accessing the portal at https://<portal_address> you should be redirected to the IDP single sign on page. If the authentication is successful, you should be able to download the cGlobalProtect client:

    image-20220901-110215.png
  • Upon connecting using GlobalProtect client, you should also be redirected to the idp single sign=on page:

    image-20220901-110348.png

If all goes well, you should see a successful connection message from GlobalProtect:

image-20220901-110711.png


VID Configuration

image-20230310-151515.png

VID Metadata example for Palo Alto

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://10.2.3.110:443/SAML20/SP">
  <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>
MIIDtjCCAp4CCQCWxMlGiWgqJjANBgkqhkiG9w0BAQsFADCBmzELMAkGA1UEBhMC
<<Certificate>>
lmXle9QPJnyuTplyJ+jtNRDtociEDesxBsDexaMwE0R7d3KC12E1Rxv6
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://10.2.3.110:443/SAML20/SP/ACS" index="0"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>