GlobalProtect SAML Authentication with Entra ID and CIE

on

 

When you configure the Cloud Identity Engine (CIE) as a User-ID source, the firewall or Panorama retrieves the group mapping information from the Cloud Identity Engine. You can then use the group information from the CIE to create and enforce group-based security policy rules.

The CIE  retrieves the information for your tenant based on your device certificate.

Configure the Cloud Identity Engine as a Mapping Source

https://docs.paloaltonetworks.com/identity/cloud-identity-engine/identify-users-and-devices-with-cie/redistribute-identification-information-from-ngfws-to-the-cloud/configure-the-cloud-identity-engine-as-a-mapping-source


Setup summary

  • On-prem Palo Alto firewall with GlobalProtect configured
  • GlobalProtect authentication: SAML via Azure Entra ID
  • Cloud Identity Engine (CIE) tenant configured with directory sync enabled
  • Configured CIE as a User-ID source under Device > User Identification > Cloud Identity Engine
  • Enabled directory sync in CIE with Azure Entra ID
  • Users authenticate successfully via GlobalProtect with SAML

here's what should happen:

  • GlobalProtect automatically provides IP-to-username mapping when users authenticate via SAML
  • CIE (configured as User-ID source) provides the group membership information
  • The firewall combines both to apply security policies based on user/group






High‑Level Architecture

  • Authentication: GlobalProtect → SAMLMicrosoft Entra ID
  • User / Group Mapping: Cloud Identity Engine (CIE) synchronized with Entra ID
  • Firewall Consumption: Palo Alto firewall uses CIE as the User-ID source (not SAML groups)

Key concept:

  • SAML groups → used only for GlobalProtect authentication allow/deny
  • CIE groups → used for security policy, GP gateway rules, App-ID, logging

Step 1 – Prepare Microsoft Entra ID (IdP)

  1. Create Enterprise Application
    • Add “Palo Alto Networks – GlobalProtect” from the gallery.
  2. Configure SAML SSO
    • Entity ID:
      https://<firewall-fqdn>:443/SAML20/SP
    • Reply URL (ACS):
      https://<firewall-fqdn>:443/SAML20/SP/ACS
    • Sign‑on URL:
      https://<firewall-fqdn>
  3. User & Group Assignment
    • Assign users or Entra security groups allowed to use VPN.
  4. Download Federation Metadata XML
    • Used later on the firewall.

[learn.microsoft.com], [packetswitch.co.uk]

Step 2 – Configure Cloud Identity Engine (CIE)

  1. Deploy / Access CIE Tenant
  2. Add Microsoft Entra ID as Identity Provider
    • Configure Entra → CIE synchronization.
  3. Enable Directory Sync
    • Sync:
      • Users
      • Security groups
      • User attributes (UPN, email, etc.)
  4. Verify Sync Health
    • Confirm users and groups appear correctly in CIE.

At this stage, CIE becomes your authoritative User‑ID source.

[saml-doc.okta.com]

Step 3 – Integrate CIE with Palo Alto Firewall (User‑ID)

  1. On the firewall:
    • Device → Cloud Identity Engine
  2. Register Firewall with CIE
    • Authenticate the firewall to the CIE tenant.
  3. Enable User‑ID from CIE
    • Users and groups become available for:
      • Security policies
      • GlobalProtect gateway rules
      • Logging & monitoring

✅ No LDAP, no User‑ID agent required.

Step 4 – Configure SAML on Palo Alto Firewall (Authentication)

  1. Import Entra Metadata
    • Device → Server Profiles → SAML Identity Provider
    • Import the Entra Federation Metadata XML
  2. Create Authentication Profile
    • Type: SAML
    • IdP: Entra SAML profile
    • Optional:
      • Use Allow List with SAML group names (access control only)

Reminder:
SAML groups cannot be referenced in policies or gateways.

[docs.paloa...tworks.com], [bing.com]

Step 5 – Attach SAML Auth to GlobalProtect

  1. GlobalProtect Portal
    • Authentication Profile → SAML profile
  2. GlobalProtect Gateway
    • Authentication Profile → same SAML profile
  3. (Optional) Enable MFA / Conditional Access in Entra ID

[youtube.com]

Step 6 – Policy & Gateway Configuration (Using CIE Groups)

  1. Security Policies
    • Source User = CIE groups
  2. GlobalProtect Gateway Rules
    • Client authentication / IP pools based on CIE groups
  3. Verify User‑ID
    • Monitor → User‑ID
    • Traffic logs show resolved user and group

Step 7 – Test & Validate

  1. User connects GlobalProtect
  2. Redirected to Entra ID for SAML authentication
  3. Firewall:
    • Accepts authentication via SAML
    • Resolves user/groups via CIE
  4. Policies match on CIE group membership

Key Design Notes (Best Practice)

  • Use SAML only for authentication
  • Use CIE for all group‑based enforcement
  • ❌ Do not rely on SAML groups for security policy
  • ✅ Scales well for cloud/hybrid and Zero Trust designs
  • ✅ Works cleanly with MFA and Conditional Access

Comments

Post a Comment