qk26f (qk26f) asked a question.
Palo Alto GlobalProtect VPN Using Local User Database with Okta SAML
Our users are currently authenticating through the local user database on our Palo Alto firewall. I have manually setup new users in the Okta dashboard to match the local user database in our firewall. We are using the SAML 2.0 MFA feature in Okta and I don't understand how I will be able to control VPN user access in the firewall since these are two different accounts and don't seem to connect in any way. Is there some way to connect Okta users email (Accounts) in the dashboard with local user accounts in the firewall database?
Thanks!
Jason
Hello Jason,
With the SAML app you will need to ensure that the username set on the app assignment matches the account on the SP side. Provided that the exact value is assigned in Okta it will be sent to Palo Alto in the assertion and authentication should succeed.
You mentioned you are logging in with local users, could you ensure SAML is enabled for the accounts (as the default authentication mechanism) as this may be the reason for the failures.
Should you encounter issues, please open a support case.
Best Regards,
Dan