Palo Alto VM-Series Firewall: GlobalProtect – AWS SAML


GlobalProtect supports various authorization methods, including SAML 2.0 IdP. This example shows how to set up authorization using AWS SSO.


Before adding SAML IdP, you must already have AWS Directory Service configured

To begin with, let’s add an application, for this go to “IAM Identity Center” -> “Application assignments” -> “Application

And click “Add Application

There is no application for GlobalProtect in the list, so we indicate it will be a custom application and click “Next

Specify a name and description

Next, in the “Application properties” section, in the “Application start URL” field, specify the following:


In order for us to get to the GlobalProtect client download page from the AWS SSO portal

In the “Application metadata” section, in the “Application ACS URL” field, specify the following:


And “Application SAML audience“:


Then download the SAML Metadata file, scroll down and click “Submit

After adding the application, you need to make sure that the correct attribute format is used. To do this, in the “Actions” tab, select “Edit attribute mapping

Required format:

  • Value: ${user.subject}
  • Format: emailAddress

This completes the configuration from the AWS side.


Import the SAML Metadata file, for this go to the “Device” -> “Server Profiles” -> “SAML Identity Provider” tab and select “Import” in the lower left corner

Parameter “Validate Identity Provider Certificate” – must be disabled

Let’s create an Authentication Profile, to do this, go to the “Device” -> “Authentication Profile” tab and select “Add“. Specify a name and in the “IdP Server Profile” field select the profile that was imported in the previous step, leaving all other settings as default.

Go to the “Advanced” tab and add “all” to the “Allow List“.

Click “OK” and save the changes, for this, click “Commit” in the upper right corner. Now we can use this Authentication Profile to authenticate with GlobalProtect.

Tagged: Tags

Notify of

Inline Feedbacks
View all comments