Authenticating GlobalProtect and Prisma Access remote access users against Office365 Azure AD28/6/2020
Update 29.06.2020 - Mitigate SAML Bypass Vulnerability without upgrade (CVE-2020-2021) - This video explains how to securely set up SAML authentication end-to-end against Office 365 Azure AD. The critical element which explains how to set up certificate validation of the SAML Identity Provider starts at 29:35. With this configuration, there is no immediate need to upgrade the FireWall, although an upgrade should always be considered. It also fixes the commit error "Validate Identity Provider Certificate is checked but no Certificate Profile is provided authentication-profile"
Being able to authenticate your GlobalProtect or Prisma Access remote workers against Office 365 is very convenient as it provides a seamless single sign-on experience to the user. Of course its great from a security point of view as well, because you can use the integrated dual factor authentication that comes with Office 365. But of course in order to authenticate against Office 365 you cannot use classical protocols like LDAP or Radius, instead you need SAML. Luckily, both Microsoft and Palo Alto Networks have made the integration very simple, and in this video we will show you the configuration end-to-end with all the tips and tricks you need to know to make to work. Palo Alto Networks Training - FireWall Best Practices | Want to learn more? Our Palo Alto Networks Courses teach you how to master the Next-Generation FireWall. Update 30.6.2020 - at around 5:40 in the video I'm mentioning Microsoft's misleading example for using wildcards in the identifier URL. While wildcards are not supported in standard marketplace app, they can be used in the manifest file of the enterprise app. This is tremendously useful for usage on Prisma Access. Thanks to @Marc Barten for providing this information.
Powershell Script
With this powershell script you can add multiple identifier to the Azure AD Enterprise application as shown in the video.
Connect-AzureAD $app = Get-AzureADApplication -SearchString "Your GP SAML App" $ReplyURLS = New-Object System.Collections.Generic.List[string] $Identifiers = New-Object System.Collections.Generic.List[string] $ReplyURLS.add("https://portal1.customer.com:443/SAML20/SP/ACS") $ReplyURLS.add("https://portal2.customer.com:443/SAML20/SP/ACS") $ReplyURLS.add("https://gw1.customer.com:443/SAML20/SP/ACS") $ReplyURLS.add("https://gw2.customer.com:443/SAML20/SP/ACS") $identifiers.add("https://portal1.customer.com:443/SAML20/SP") $identifiers.add("https://portal2.customer.com:443/SAML20/SP") $identifiers.add("https://gw1.customer.com:443/SAML20/SP") $identifiers.add("https://gw2.customer.com:443/SAML20/SP") Set-AzureADApplication -ObjectId $app.ObjectId -ReplyUrls $ReplyURLS Set-AzureADApplication -ObjectId $app.ObjectId -identifieruris $identifiers
Disclaimer: Consigas Limited accepts no liability for the content of this blog post, or for the consequences of any actions taken on the basis of the information provided. Any views or opinions presented in this document are solely those of the author and do not necessarily represent those of Palo Alto Networks.
|
Privacy Policy
© 2021 Copyright Consigas Ltd. All Rights Reserved |
Consigas Limited is registered in Ireland under company number 524218
Registered office is 6-9 Trinity Street, Dublin, D02 EY47, Ireland |