LastPass offers MFA integration with your GlobalProtect Client VPN or GlobalProtect Portal through SAML integration and using LastPass Universal Proxy.
For SAML integration with Palo Alto Network follow the instructions below and add Palo Alto as a web app on LastPass Admin Dashboard.

Part 1 – Configuration on LastPass Dashboard
  • Open the LastPass Admin Dashboard. Select “Applications” from the left side menu and then select “Web App” from the submenu.

LastPass Web Applications

 

  • Click on “+ Add SSO App” button from the upper right corner.

Add SSO application

 

  • A pop-up window will appear. Under the section: “Select your app”, click on “Search…” and type Palo Alto Networks GlobalProtect to search the LastPass Catalog. Select Palo Alto Networksfrom the drop-down menu.

SSO App Catalog

 

  • Under the section: “Identity Provider”, download the LastPass Metadata xml to your computer by clicking on the download arrow button next to “Metadata”.

SSO Identity Provider

 

  • Expand the “Service Provider” section, paste the following “ACS” and “Entity ID” into the ACS and Entity ID URL text box:
    ACS: https:// YourVpnServer.com:443/SAML20/SP/ACS
    Entity ID: https://YourVpnServer.com:443/SAML20/SP
  • Click on “Save”.

SSO app Service Provider

 

Part 2 – SSO Configuration on Palo Alto Networks GlobalProtect
  • Login into the admin console of your VPN server and go to Device > Server Profiles > SAML Identity Provider. Click on the “Import” button.

Palo Alto Network 1

 

  • Set up a Profile Name and import the LastPass metadata by clicking on Browse…, select the metadata file that you downloaded from LastPass admin dashboard and click “OK” to save changes.
  • Next, create a new Authentication Profile. Navigate to Device > Authentication Profile and click on the “Add” button.

Palo Alto Network 2

 

  • Select your authentication profile name. Select “SAML” from the Type options and select the LastPass identity provider name that you created in the IdP Server Profile.
  • Click on the” Advanced” tab and select all users or a list of users in the Allow List. Click “Ok” to save changes.

Palo Alto Network 3

 

  • Next, switch to the new authentication profile on your GlobalProtect Portals and Gateways. Navigate to Network > GlobalProtect > Portals, select the portal you’d like to update, click on the “Authentication” tab, and select the authentication profile that you created.

Palo Alto Network 4

 

  • Open Network > GlobalProtect > Gateways, select the portal you’d like to update, click on the Authentication tab, and select the authentication profile recently created.

Palo Alto Network 5

 

Palo Alto Network VPN is now ready to use. You can now assign users to your VPN.
For more information visit Palo Alto Network SAML setup page.