Palo Alto Networks VPN
Add the SSO app to the LasPass SSO & MFA Admin Console.
- Log in and access the LastPass Password Manager Admin Console by doing either of the following:
- While logged in to LastPass, click the active LastPass icon in your web browser toolbar, then select Admin Console in the menu.
- Log in at https://lastpass.com/company/#!/dashboard with your admin username and Master Password.
- Go to .
- If you have not previously added SSO apps, click Add your first SSO app. Otherwise, click Add app in the upper-right navigation.
- In the Search field, under the Select app section, search for your app in the catalog. Note: If you cannot find your app click Add an unlisted app.
- Click Continue.
- Go to this app’s settings to enable single sign-on. Make sure your app recognizes LastPass as the Identity Provider. Some apps allow you to upload settings in an XML file, while others require you to copy and paste the information below.
- Entity ID
- SSO endpoint
- Logout URL
- Default is selected, or select another
- Certificate fingerprint
- Certificate fingerprint (SHA256)
- Optional: If needed, you can click the Download icon to download and save the LastPass Certificate (TXT) and/or Metadata (XML) files.
- Open a new web browser window or tab to proceed with the next steps.
Part 2 - App Configuration
- Log into the admin console of your VPN server and go to Device > Server Profiles > SAML Identity Provider. Click Import.
- Set up a Profile Name and import the LastPass metadata by clicking on Browse..., select the metadata file that you downladed from LastPass admin dashboard and click OK to save changes.
- Next, create a new Authentication Profile. Navigate to Device > Authentication Profile and click Add.
- Select your authentication profile name. Select SAML from the Type options and select the LastPass identity provider name that you created in the IdP Server Profile.
- Click on the Advanced tab and select all users or a list of users in the Allow List. Click Ok to save changes.
- Next, switch to the new authentication profile on your GlobalProtect Portals and Gateways. Navigate to Network > GlobalProtect > Portals, select the portal you'd like to update, click on the Authentication tab, and select the authentication profile that you created.
- Open Network > GlobalProtect > Gateways, select the portal you'd like to update, click on the Authentication tab, and select the authentication profile recently created.