Skip to main content

Palo Alto GlobalProtect VPN SAML integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.


  • Configured Arculix instance and user account with administrative privileges for Arculix.

  • Configured Arculix LDAP Agent.

    For more information, see the Arculix LDAP Agent deployment guide.

  • User account with administrative access to Palo Alto.

Arculix SAML configuration as an Identity Provider (IdP)

In this section, you'll configure Palo Alto GlobalProtect VPN as an identity provider, add an application, and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.

  1. Log in to Arculix with an administrative account and in the left navigation, click Identity Provider.

  2. Select the SAML Certificates tab and verify whether you have an available certificate with a subject attribute or whether you need to generate a new one for the Palo Alto GlobalProtect VPN integration.

  3. If there isn't one, click Generate Self-Signed Certificate, enter a friendly name, and click Generate Certificate.

  4. Review the certificate settings.

    You could set the new certificate to Active, but this can interfere with applications that were set with the previous certificate. You'll want to use this new certificate separately for the Palo Alto GlobalProtect VPN application that you will create next.

  5. Save your changes.

    Be sure to save your changes so that the SAML certificate has the subject attribute.

  6. In the left navigation, click Applications.

  7. Click Create New Application.

    Create new application
  8. In the New Application form, on the General tab, set the following configurations:


    Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

    For example, Palo Alto GP


    Set to SAML Service Provider.

    Out of Band Methods 

    Select the allowed methods end users can choose to approve MFA requests.

    For example, Arculix Mobile app (push notifications), SMS, or Security Key.

    Message for MFA Requests 

    Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

  9. Select the SAML Service Provider Configuration tab, and set the following configurations:

    Issuer or Entity ID 

    Enter the Issuer or Entity ID of your Palo Alto VPN.

    For example,

    Log in URL 

    Enter the URL used by your users to access the VPN.

    For example,

    NameID Format 

    Set to Email Address.

    Name Identifier 

    Set to Email.

    ACS URL 

    Enter the Assertion Consumer Service of your Palo Alto VPN.

    For example, https://


  10. Scroll down to the bottom of the page, move the slider to enable Select IdP Siging Certificate and select the certificate with the subject attribute as Active.

  11. Save your changes.

    Next, download the metadata for this application.

  12. Go back to the application you just created, click Edit and then Download Certificate.


Palo Alto GlobalProtect VPN configuration

In this section, you'll configure Palo Alto GlobalProtect VPN as a service provider (SP).

  1. Log in to Palo Alto as an administrator.

  2. To upload the Arculix SAML metadata, go to the Device tab, then SAML Identity Provider, and click Import.

  3. Set the following configurations:

    Profile Name

    Set a profile name for this integration.

    Identity Provider Metadata

    Browse to the folder that contains the Arculix metadata file.

    Validate Identity Provider Certificate

    Clear this check box.

  4. In the left navigation, go to Authentication Profile and then click Add.

  5. On the Authentication tab, set the following configurations:


    Set an authentication profile name for this integration.


    Set the type to SAML.

    IdP Server Profile

    Set to the name of the Arculix SAML server.

    Leave the other settings as set by default.

  6. Select the Advanced tab, click Add, select the All check box and click OK.


    Next, you need to change your Global Protect authentication to SAML; either for Portals or Gateways, or both.

  7. In the left navigation, expand GlobalProtect and click Portals.

  8. Select the portal you want to configure.

  9. On the GlobalProtect Configuration page, to create a new client authentication, click Authentication.

  10. On the Client Authentication page, set the Name and select the Authentication Profile that you just created.

  11. On the GlobalProtect Portal Configuration page, click Agent and select the agent to configure.

  12. Select the App tab.

  13. Find the App Configuration setting for Use Default Browser for SAML Authentication and set it to Yes.

    The internal browser for the GlobalProtect VPN client does not support WebAuthn, so you will need to set this configuration if you want to use WebAuthn for authentication.

  14. To change the Gateway authentication setting, go to Gateways and select the gateway to configure.

  15. On the GlobalProtect Gateway Configuration page, click Authentication.

  16. Create a Client Authentication for the gateway, just like you did in Step 10.

  17. To check your configurations, click Commit. Verify your changes, and click Commit to apply your changes.


Test your set up

  1. Add the Palo Alto GlobalProtect URL to your VPN or enter the URL in a browser.

  2. You will be redirected to the Arculix SSO page.

    Application login page with email
  3. After successful authentication, select your preferred MFA method to approve access to the Palo Alto GlobalProtect VPN.

    Select MFA method
  4. Finally, it establishes your VPN connection.



If you have questions or need assistance, contact SecureAuth Support.


Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.


All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.