Online Help

SafeNet Trusted Access for Palo Alto GlobalProtect

Overview

Configuring SafeNet Trusted Access for Palo Alto GlobalProtect is a three-step process:

1.Palo Alto GlobalProtect setup

2.SafeNet Trusted Access setup

3.Verify authentication

Palo Alto GlobalProtect Setup

As a prerequisite, download the Identity Provider metadata from the SafeNet Trusted Access console by clicking on the Download metadata file button.

You will need this metadata in one of the steps below.

Perform the following steps to configure SafeNet Trusted Access as your Identity Provider in Palo Alto GlobalProtect:

1.Log in to your Palo Alto GlobalProtect management web interface as an administrator using the https://<FQDN or IP address of the Management Interface> URL.

2.On the Palo Alto GlobalProtect management web interface, click on the Device tab.

3.In the left pane, click Server Profiles > SAML Identity Provider and in the right pane, at the bottom, click Import.

4.On the SAML Identity Provider Server Profile Import window, perform the following steps:

a.In the Profile Name field, enter a name for the SAML Identity Provider server profile (for example, safenet).

b.Click Browse to search and select the metadata that you downloaded earlier from the SafeNet Trusted Access console.

c.Ensure that the Validate Identity Provider Certificate and Validate Metadata Signature check boxes are not selected.

d.Click OK.

5.The SAML identity provider server profile (for example, safenet) is listed on the Palo Alto GlobalProtect management web interface. Click on the profile.

6.On the SAML Identity Provider Server Profile window, select the Sign SAML Message to IDP check box and click OK.

7.On the Palo Alto GlobalProtect management web interface, in the left pane, click Authentication Profile and in the right pane, at the bottom, click Add.

8.On the Authentication Profile window, in the Name field, enter a name for the authentication profile (for example, safenet) and on the Authentication tab, perform the following steps:

a.In the Type field, select SAML.

b.In the IdP Server Profile field, select the SAML identity provider server profile (for example, safenet) that you created earlier in step 4.

c.In the Certificate for Signing Requests field, select the certificate (for example, certificate) for signing the SAML requests.

d.Select the Enable Single Logout check box if required.

e.Ensure that username is entered in the Username Attribute field.

9.On the Advanced tab, at the bottom, click Add to add the users and groups for authentication using the authentication profile and then click OK.

Note:  If all is selected, all the users will be authenticated using the authentication profile.

The authentication profile (for example, safenet) is listed on the Palo Alto GlobalProtect management web interface.

10.Click the Network tab.

11.In the left pane, click GlobalProtect > Portals, and in the right pane, click on the GlobalProtect portal as per your preferred configuration (for example, gprotect).

12.On GlobalProtect Portal Configuration window, in the left pane, click Authentication, and then in the right pane, in the Authentication Profile column, select the authentication profile (for example, safenet) that you created in step 8.

13.In the left pane, click Clientless VPN, and in the right pane, ensure that Clientless VPN access is selected and configured as per your preferred configuration.

14.Click OK.

15.On the Palo Alto GlobalProtect management web interface, on the top-right hand side corner of the window, click Commit.

16.On the Commit window, at the bottom, click Commit.

17.On the Commit Status window, click Close.

Obtaining Metadata

Perform the following steps to obtain the Palo Alto GlobalProtect metadata:

1.On the Palo Alto GlobalProtect management web interface, click on the Device tab.

2.In the left pane, click Authentication Profile.

3.In the right pane, select your authentication profile (for example, safenet) and then in the Authentication column, click Metadata.

4.On the SAML Metadata Export window, complete the following fields:

Service Select the service (for example, global-protect) for which you want to export the SAML metadata.
Virtual System Select the virtual system (for example, vsys1) for which the GlobalProtect portal is defined.
IP or Hostname Select the hostname or IP address of the GlobalProtect portal.

 

Note:  If you enter a hostname, the DNS server must contain an address (A) record that maps to the IP address.


5.Click OK. The metadata will be downloaded automatically on your local machine.

Obtaining Signing Certificate

1.On the Palo Alto GlobalProtect management web interface, click the Device tab.

2.In the left pane, click Certificate Management > Certificates.

3.In the right pane, select your certificate (for example, certificate) that you can use for signing the SAML requests.

4.At the bottom, click Export.

SafeNet Trusted Access Setup

After completing the first step of configuring SafeNet Trusted Access in Palo Alto GlobalProtect, the second step is to activate the Palo Alto GlobalProtect application in SafeNet Trusted Access by performing the following steps:

1.In the Applications pane, you will notice that the Palo Alto GlobalProtect application that you added previously is currently in inactive state by default. To configure and activate this application, click the application (for example, Palo Alto GlobalProtect) and proceed to the next step.

2.Under STA Setup, complete the following fields:

Field Value to be Set
ENTITY ID Enter the entityID that exists in the EntityDescriptor tag available in the Palo Alto GlobalProtect metadata that you downloaded earlier in the Obtaining Metadata section as given above.

 

For example:
<md:EntityDescriptor entityID="https://10.164.45.130:443/SAML20/SP" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
SINGLE LOGOUT URL Enter the Location URL that exists in the SingleLogoutService tag available in the Palo Alto GlobalProtect metadata that you downloaded earlier in the Obtaining Metadata section as given above.

For example,
<<md:SingleLogoutService Location="https://10.164.45.130:443/SAML20/SP/SLO" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" index="0"/>
ASSERTION CONSUMER SERVICE URL Enter the Location URL that exists in the AssertionConsumerService tag available in the Palo Alto GlobalProtect metadata that you downloaded earlier in the Obtaining Metadata section as given above.

For example,
<md:AssertionConsumerService Location="https://10.164.45.130:443/SAML20/SP/ACS" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" index="0"/>
SIGNING CERTIFICATE Click Choose File to search and select the signing certificate that you download earlier in the Obtaining Signing Certificate section.
NAME ID Ensure that SAS User ID is selected as required by Palo Alto GlobalProtect.
username Ensure that SAS User ID is selected as required by Palo Alto GlobalProtect.
 
 

3.Under User Portal Settings, in SERVICE LOGIN URL field, enter the global portal url (for example, https://hostname or IP Address of global portal).

4.Click Save Configuration to save the details and activate the Palo Alto GlobalProtect application in SafeNet Trusted Access.

Verify Authentication

Using STA Console

Navigate to the Palo Alto GlobalProtect URL. You will be redirected to the SafeNet Trusted Access sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the Palo Alto GlobalProtect portal after authentication.

Using STA User Portal

Navigate to the User Portal URL to log in to the STA User Portal dashboard. On the dashboard, you will see a list of applications to which you have access. Click on the Palo Alto GlobalProtect application icon, you should be redirected to the Palo Alto GlobalProtect portal after authentication.

 

© 2018 SafeNet Trusted Access. Various trademarks held by their respective owners.