GlobalProtect Single Sign-On (SSO) integration

This topic contains procedures to configure AppName for Single Sign-On (SSO) in CyberArk Identity using SAML.

With CyberArk Identity, you can choose single-sign-on (SSO) access to the application with SP-initiated SAML SSO (for SSO access through the GlobalProtect web application).

AppName SSO supported features

This application template supports the following features:

  • SP-initiated SSO

Prerequisites for AppName SSO

Before you configure the GlobalProtect web interface for SSO, you need the following:

  • Palo Alto Networks admin user

  • Users created for SSO

Configure the AppName app template in the Identity Administration portal

The following procedure describes the steps in the Identity Administration portal needed to configure the AppName app template for SSO.

Step 1: Add the AppName web app template.

  1. In the Identity Administration portal, select Apps & Widgets > Web Apps, then click Add Web Apps.

    Add a web app screen

  2. On the Search page, enter the application name in the Search field and click the search button.

  3. Next to the application name, click Add.

  4. On the Add Web App page, click Yes to confirm.

  5. Click Close to exit the Application Catalog.

    The application opens to the Settings page.

Step 2: Configure the Settings page.

Set an app name, description, category, and logo if you want to change them.

Step 3: Configure the Trust page.

  1. In the Identity Provider Configuration section, select Metadata, then click Download Metadata File to download the IdP metadata.

    This file is used later when you configure the SAML integration in AppName.

  2. In the Service Provider Configuration section, select Manual Configuration, then review the following pre-configured SAML settings and click Save after you finish.

Step 4: Configure the Permissions page to grant AppName users SSO access.

Grant SSO access to AppName by assigning permissions to users, groups, or roles.

  1. On the Permissions page, click Add.

  2. Select the user(s), group(s), or role(s) that you want to grant permissions to, then click Add.

    The added object appears on the Permissions page with View, Run, and Automatically Deploy permissions selected by default.

  3. Select the permissions you want and click Save.

    Default permissions automatically deploy the application to the User Portal if the Show in user app list option is selected on the Settings page. Do not select this option if you intend to use only SP-initiated SSO.

    Change the permissions if you want to add additional control or if you prefer not to automatically deploy the application.

Step 5: Review and save.

Review your settings to confirm your configuration. For example, you might want to verify that you selected the appropriate users, groups, or roles on the Permissions page. Click Save when you are satisfied.

Configure Palo Alto Firewall for SAML single sign-on

The following procedure describes the steps in the Palo Alto Networks web-Interface needed to configure the GlobalProtect app template for SSO.

Step 1: Log in to Palo Alto Networks Web-Interface as an admin.

  1. Go to Device > Server Profiles > SAML Identity Provider.


  2. Click Import at bottom of page.

  3. In the SAML Identity Provider Server Profile Import pop-up:

    1. Enter a Profile Name.

    2. (Optional) Check the Administrator only checkbox if you want only administrators to use SAML SSO.

    3. Click Browse beside Identity Provider Metadata.

    4. Select the Identity Provider Metadata XML file you downloaded from CyberArk Identity portal earlier. Refer to Configure the Trust page.

    5. For Validate Identity Provider Certificate, if you do not have a certificate from a trusted CA (Certificate Authority,) uncheck this checkbox. Default Signing Certificate by Cyberark is a self-signed certificate and not a trusted CA certificate.

      Palo Alto Networks recommends using a CA certificate. If you have one, select this checkbox and refer to Palo Alto Network’s documentation to add the certificate and create a Certificate Profile. Refer to Palo Alto Network’s documentation

    6. Uncheck Validate Metadata Signature.

    7. Set Maximum Clock Skew (sec) to default value, but you can configure to whatever you like. This value is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1 to 900). If the difference exceeds this value, authentication fails.

    8. Click OK.

    4. There are other features in Palo Alto Networks that can use a SAML Identity Provider Server Profile. Select the Profile name which you mentioned earlier in Server profile that you just created.

Step 2: Create Certificate and provide the appropriate Certificate in the SAML Identity Provider

  1. Go to Device > Certificate Management > Certificates.

  2. Click Import at bottom of page.

  3. In the Certificates Import pop-up:

    1. Select Local as Certificate Type. This is the default option.

    2. Enter a Certificate Name.

    3. Click Browse beside Certificate File.

    4. Select the Signing Certificate (.cert file) you downloaded from CyberArk Identity portal earlier. Rename the file name without any spaces if any.

    5. Set all attribute values as default values.

  4. Click OK.

  5. Once saved you will have the configured Certificate Detail under Certificates Tab.

  6. Go to Device > Server Profiles > SAML Identity Provider and click the Profile Name that you configured.

  7. In the SAML Identity Provider Server Profile pop-up, select the appropriate Certificate name from the Identity Provider Certificate drop-down as shown below.

  8. Click OK.

Step 3: Create Authentication Profile and download Service Provider Metadata

  1. Navigate to Device > Authentication Profile.

  2. Click Add at the bottom of the screen.

  3. In the Authentication Profile pop-up:

    1. Enter a Name.

    2. In the Authentication tab, select SAML as Type.

    3. In the IdP Server Profile drop-down, select the name you entered in the previous step.

    4. Select None from the Certificate for Signing Requests drop-down.

    5. (Optional) Select the Enable Single Logout checkbox, if you want users to log out from CyberArk Identity.

    6. For Certificate Profile, if you have configured IdP Server Profile to validate IdP Certificate and a certificate profile, select that certificate profile. Otherwise, select None.

    7. Set all attribute values as default values.

    8. Navigate to the Advanced tab.

    9. Add all to the Allow list that will use SAML SSO as you configure the User under Permission tab in CyberArk Identity Provider Configuration.

    10. Click OK.

  1. Click the Metadata link in the Authentication column for your profile and select global-protect value from the Service drop-down, click the captive portal IP to download the Service Provider Metadata file that you will need to upload to the Admin Portal.

  2. Click Commit to commit the changes to server.

Step 4: Upload Service Provider Metadata to CyberArk Identity Portal

  1. Log in to CyberArk Identity Admin Portal.

  2. Go to the Trust page of the GlobalProtect application.

  3. Click Choose File to upload the Service Provider Metadata downloaded previously.

  4. Click Save.

Configure Portal and Gateway to connect GlobalProtect

Once you have set up the CyberArk as IDP you need to create either a new Portal or a new Gateway or both for the GlobalProtect components.

Refer to the following Palo Alto Networks documentation for configuring a GlobalProtect Portal:

Refer to the following Palo Alto Networks documentation for configuring a GlobalProtect Gateway:

Step 1: Configure Portals.

  1. Navigate to Network > GlobalProtect > Portals in the Palo Alto web-interface.

  2. Click the Portal which you have created earlier to connect GlobalProtect.

  3. Navigate to Authentication Tab, click Add.

    1. In Client Authentication Pop up, enter a Name.

    2. Enter the OS details.

    3. Select the Authentication Profile which you have created earlier.

    4. Define the Authentication Message.

    5. Set the other attributes as Default.

  1. Click OK to see the Configured Details as shown below.

Step 2: Configure Gateway

  1. Navigate to Network> GlobalProtect > Gateways in the Palo Alto Web-Interface.

  2. Click the Gateways which you have created earlier.

  3. Navigate to Authentication Tab, click Add.

    1. In Client Authentication Pop up, enter a Name.

    2. Enter the OS details.

    3. Select the Authentication Profile which you have created earlier.

    4. Define the Authentication Message.

    5. Set the other attributes as Default.

  4. Click OK to see the Configured Details as shown below.

  5. Click Commit to save all the Portal and Gateway related changes to server.

Install GlobalProtect

  1. Go to your-base-url]/global-protect/portal/portal.esp.

  2. Download the GlobalProtect Client Installer according to the OS and then install.

  3. In the GlobalProtect client application, go to Settings, enter [your-base-url] into Portal Address field.

  4. Click Connect.

Additional information

You can refer to https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/authentication/set-up-external-authentication/set-up-saml-authentication.html for more information.