Duo checks the user, device, and network against an application's policy before allowing access to the application. For example, you can require that Salesforce users complete two-factor authentication at every login, but only once every seven days when accessing Palo Alto GlobalProtect.
Duo Single Sign-On acts as an identity provider (IdP), authenticating your users using existing on-premises Active Directory (AD) or any SAML 2.0 IdP and prompting for two-factor authentication before permitting access to Palo Alto GlobalProtect.ĭuo Single Sign-On is available in Duo Beyond, Duo Access, and Duo MFA plans, which also include the ability to define policies that enforce unique controls for each individual SSO application. In addition, as sensitive information makes its way to cloud-hosted services it is even more important to secure access by implementing two-factor authentication.ĭuo Single Sign-On is our cloud-hosted SSO product which layers Duo's strong authentication and flexible policy engine on top of Palo Alto GlobalProtect logins using the Security Assertion Markup Language (SAML) 2.0 authentication standard.
If a user's primary password is compromised, attackers may be able to gain access to multiple resources. While SSO is convenient for users, it presents new security challenges. Single sign-on (SSO) technologies seek to unify identities across systems and reduce the number of different credentials a user has to remember or input to gain access to resources. If you are looking to protect Palo Alto Networks Aperture please visit Duo Protection for Palo Alto Networks Aperture.Īs business applications move from on-premises to cloud hosted solutions, users experience password fatigue due to disparate logons for different applications. Learn more about the differences between the Palo Alto GlobalProtect deployment configurations. This configuration does not feature the inline Duo Prompt, but also does not require a SAML identity provider. To deploy push, phone call, or passcode authentication for GlobalProtect desktop and mobile client connections using RADIUS, refer to the Palo Alto GlobalProtect instructions. Supported on Palo Alto Networks next-generation firewalls running PAN-OS 7.0 and 7.Duo Federal customers or those looking for an on-premises SSO solution: try Duo Protection for Palo Alto Networks SSO with Duo Access Gateway.ĭuo Single Sign-On for Palo Alto SSO supports GlobalProtect clients via SAML 2.0 authentication only. Supported on Palo Alto Networks next-generation firewalls running PAN-OS 7.0 and 7.1
Network administrators please contact your Palo Alto Networks sales representative or channel partner to add GlobalProtect gateway subscription to your firewalls in order to enable support for GlobalProtect for Windows Unified Platform.
Provides the full benefit of the native experience and allows users to securely use any app Supports all of the existing PAN-OS authentication methods including RADIUS, LDAP, client certificates, and a local user database This allows users to work safely and effectively at locations outside of the traditional office.īefore installing this app, please check with your IT department to ensure that your organization has enabled a GlobalProtect gateway subscription on the firewall.
The app automatically adapts to the end-user’s location and connects the user to the optimal gateway in order to deliver the best performance for all users and their traffic, without requiring any effort from the user.
GlobalProtect for Windows Unified Platform connects to a GlobalProtect gateway on a Palo Alto Networks next-generation firewall allowing mobile users to benefit from the protection of enterprise security.