AWS Directory Service<\/a> configured<\/p><\/blockquote>\nTo begin with, let’s add an application, for this go to "IAM Identity Center<\/strong>" -> "Application assignments<\/strong>" -> "Application<\/strong>"<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-26-at-13.19.41.png\")
<\/p>\n
And click\u00a0"Add Application<\/strong>"<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-26-at-13.19.49.png\")
<\/p>\n
There is no application for GlobalProtect in the list, so we indicate it will be a custom application and click "Next<\/strong>"<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-26-at-13.27.11.png\")
<\/p>\n
Specify a name and description<\/p>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-26-at-13.32.13.png\")
<\/p>\n
Next, in the "Application properties<\/strong>" section, in the "Application start URL<\/strong>" field, specify the following:<\/p>\nhttps:\/\/YOUR_GP_DOMAIN<\/strong>\/global-protect\/getsoftwarepage.esp<\/p><\/blockquote>\nIn order for us to get to the GlobalProtect client download page from the AWS SSO portal<\/p>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-26-at-13.33.07.png\")
<\/p>\n
In the "Application metadata<\/strong>" section, in the "Application ACS URL<\/strong>" field, specify the following:<\/p>\nhttps:\/\/YOUR_GP_DOMAIN<\/strong>:443\/SAML20\/SP\/ACS<\/p><\/blockquote>\nAnd "Application SAML audience<\/strong>":<\/p>\nhttps:\/\/YOUR_GP_DOMAIN<\/strong>:443\/SAML20\/SP<\/p><\/blockquote>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-26-at-13.33.47.png\")
<\/p>\n
Then download the SAML Metadata<\/strong> file, scroll down and click "Submit<\/strong>"<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-26-at-13.42.13.png\")
<\/p>\n
After adding the application, you need to make sure that the correct attribute format is used. To do this, in the "Actions<\/strong>" tab, select "Edit attribute mapping<\/strong>"<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-26-at-14.49.53.png\")
<\/p>\n
Required format:<\/p>\n
\n- Value: ${user.subject}<\/li>\n
- Format: emailAddress<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-26-at-13.45.08.png\")
<\/p>\n
This completes the configuration from the AWS side.<\/p>\n
Firewall<\/h3>\n
Import the SAML Metadata<\/strong> file, for this go to the "Device<\/strong>" -> "Server Profiles<\/strong>" -> "SAML Identity Provider<\/strong>" tab and select "Import<\/strong>" in the lower left corner<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-26-at-15.22.21.png\")
<\/p>\n
Parameter "Validate Identity Provider Certificate<\/strong>" — must be disabled<\/p><\/blockquote>\nLet\u2019s create an Authentication Profile<\/strong>, to do this, go to the "Device<\/strong>" -> "Authentication Profile<\/strong>" tab and select "Add<\/strong>". Specify a name and in the "IdP Server Profile<\/strong>" field select the profile that was imported in the previous step, leaving all other settings as default.<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-26-at-15.28.37.png\")
<\/p>\n
Go to the "Advanced<\/strong>" tab and add "all<\/strong>" to the "Allow List<\/strong>".<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/10\/Screenshot-2022-10-26-at-15.28.53.png\")
<\/p>\n
Click "OK<\/strong>" and save the changes, for this, click "Commit<\/strong>" in the upper right corner. Now we can use this Authentication Profile<\/strong> to authenticate with GlobalProtect.<\/p>\n","protected":false},"excerpt":{"rendered":" GlobalProtect supports various authorization methods, including SAML 2.0 IdP. This example shows how to set up authorization using AWS SSO. AWS Before adding SAML IdP, you must already have AWS Directory Service configured To begin with, let’s add an application, for this go to "IAM Identity Center" -> "Application assignments" -> "Application" And click\u00a0"Add … \u041f\u0440\u043e\u0434\u043e\u043b\u0436\u0438\u0442\u044c \u0447\u0438\u0442\u0430\u0442\u044c "Palo Alto VM-Series Firewall: GlobalProtect — AWS SAML"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[599,1335],"tags":[1899,1901,1905,1921],"_links":{"self":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2541"}],"collection":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2541"}],"version-history":[{"count":3,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2541\/revisions"}],"predecessor-version":[{"id":2544,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2541\/revisions\/2544"}],"wp:attachment":[{"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2541"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2541"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2541"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/palo-alto-logo.png\"){kind=logo}
<\/p>\n