LastPass offers MFA integration with your GlobalProtect Client VPN or GlobalProtect Portal through SAML integration and using LastPass Universal Proxy.
For SAML integration with Palo Alto Network follow the instructions below and add Palo Alto as a web app on LastPass Admin Dashboard.
Part 1 – Configuration on LastPass Dashboard
- Open the LastPass Admin Dashboard. Select “Applications” from the left side menu and then select “Web App” from the submenu.
- Click on “+ Add SSO App” button from the upper right corner.
- A pop-up window will appear. Under the section: “Select your app”, click on “Search…” and type Palo Alto Networks GlobalProtect to search the LastPass Catalog. Select Palo Alto Networksfrom the drop-down menu.
- Under the section: “Identity Provider”, download the LastPass Metadata xml to your computer by clicking on the download arrow button next to “Metadata”.
- Expand the “Service Provider” section, paste the following “ACS” and “Entity ID” into the ACS and Entity ID URL text box:
ACS: https:// YourVpnServer.com:443/SAML20/SP/ACS
Entity ID: https://YourVpnServer.com:443/SAML20/SP
- Click on “Save”.
Part 2 – SSO Configuration on Palo Alto Networks GlobalProtect
- Login into the admin console of your VPN server and go to Device > Server Profiles > SAML Identity Provider. Click on the “Import” button.
- Set up a Profile Name and import the LastPass metadata by clicking on Browse…, select the metadata file that you downloaded from LastPass admin dashboard and click “OK” to save changes.
- Next, create a new Authentication Profile. Navigate to Device > Authentication Profile and click on the “Add” button.
- Select your authentication profile name. Select “SAML” from the Type options and select the LastPass identity provider name that you created in the IdP Server Profile.
- Click on the” Advanced” tab and select all users or a list of users in the Allow List. Click “Ok” to save changes.
- Next, switch to the new authentication profile on your GlobalProtect Portals and Gateways. Navigate to Network > GlobalProtect > Portals, select the portal you’d like to update, click on the “Authentication” tab, and select the authentication profile that you created.
- Open Network > GlobalProtect > Gateways, select the portal you’d like to update, click on the Authentication tab, and select the authentication profile recently created.