HELP FILE

Palo Alto Networks VPN

Add the SSO app to the LasPass SSO & MFA Admin Console.

  1. Log in and access the LastPass Password Manager Admin Console by doing either of the following:
    • While logged in to LastPass, click the active LastPass icon in your web browser toolbar, then select Admin Console in the menu.
    • Log in at https://lastpass.com/company/#!/dashboard with your admin username and Master Password.
  2. Go to Applications > SSO apps.
  3. If you have not previously added SSO apps, click Add your first SSO app. Otherwise, click Add app in the upper-right navigation.
  4. In the Search field, under the Select app section, search for your app in the catalog.

    Note: If you cannot find your app click Add an unlisted app.

  5. Click Continue.
  6. Go to this app’s settings to enable single sign-on. Make sure your app recognizes LastPass as the Identity Provider. Some apps allow you to upload settings in an XML file, while others require you to copy and paste the information below.

    Entity ID
    https://identity.lastpass.com
    SSO endpoint
    https://identity.lastpass.com/SAML/SSOService
    Logout URL
    https://identity.lastpass.com/Login/Logout
    Certificate
    Default is selected, or select another
    Certificate fingerprint
    Custom
    Certificate fingerprint (SHA256)
    Custom

  7. Optional: If needed, you can click the Download icon to download and save the LastPass Certificate (TXT) and/or Metadata (XML) files.
  8. Open a new web browser window or tab to proceed with the next steps.

Part 2 - App Configuration

  1. Log into the admin console of your VPN server and go to Device > Server Profiles > SAML Identity Provider. Click Import.
  2. Set up a Profile Name and import the LastPass metadata by clicking on Browse..., select the metadata file that you downladed from LastPass admin dashboard and click OK to save changes.
  3. Next, create a new Authentication Profile. Navigate to Device > Authentication Profile and click Add.

    Authentication Profile Authentication tab

  4. Select your authentication profile name. Select SAML from the Type options and select the LastPass identity provider name that you created in the IdP Server Profile.
  5. Click on the Advanced tab and select all users or a list of users in the Allow List. Click Ok to save changes.

    Authentication Profile Advanced tab

  6. Next, switch to the new authentication profile on your GlobalProtect Portals and Gateways. Navigate to Network > GlobalProtect > Portals, select the portal you'd like to update, click on the Authentication tab, and select the authentication profile that you created.
  7. Open Network > GlobalProtect > Gateways, select the portal you'd like to update, click on the Authentication tab, and select the authentication profile recently created.

    Result: Palo Network VPN is now ready to use. You can now assign users to your VPN. For more information visit Palo Alto Network SAML setup page.