Skip navigation
Duo Blog
Admin Login

Categories & Archive

Blog banner image showing gray graphics with white text that reads,
Product & Engineering
Landon Greer

Revolutionizing Palo Alto VPN Access With Duo SSO

Join the thousands of Palo Alto firewall customers who take advantage of protecting Palo Alto VPN logins with Duo Single Sign-On via SAML 2.0 to help prevent unwanted access and streamline the user experience. Duo is a leading identity security platform that protects access to all applications, for any user and device, from anywhere. It is designed to be easy to use, administer, and deploy while providing complete endpoint visibility and control.

Checklist reading: 1) Secure VPN logins in less than an hour, 2) Authenticate users in seconds, 3) Minimize stolen credential risk, 4) Unmatched visibility and control

Duo SSO simplifies the authentication process for users by providing a single point of access to multiple applications. When paired with Palo Alto’s GlobalProtect VPN, it creates a fortified security perimeter that not only safeguards sensitive data but also ensures compliance with regulatory requirements. You may be asking yourself, ‘I already have Duo protecting my Palo Alto GlobalProtect VPN via RADIUS with the Duo Authentication Proxy, why would I modernize to Duo SSO?’ and to this we could talk about the security implications that come along with RADIUS as a protocol, as it further ages but instead, I think it is best that we talk about that as well as the further enhancements that you will receive without any change in your Duo licensing costs.

Reasons to move to Duo SSO with Palo Alto VPN

Circular flow chart for Cisco Duo Single Sign-On, which moves from secure to control to simplify and back to secure

All of the following functionality is only available for Palo Alto VPNs using the Duo Universal Prompt and protecting Palo Alto Firewalls with SAML 2.0. Duo will continue to invest in our focused security principles through the Duo Universal Prompt, so be sure to keep an eye out for new policy improvements.

Secure:

Duo's Verified Push multi-factor authentication (MFA) and passwordless biometric FIDO2 MFA options protect against phishing attacks by delivering a secure and frictionless user experience no matter if on mobile, laptop or using a security key. Duo's contextual access policies adapt to factors like unknown or untrusted devices, location, risk correlation, artificial intelligence and user behavior analytics to continuously verify identity and authorize access.

Simplify:

Duo’s simply easier for all. Easier for admins to configure, deploy and manage, while being easier for users to enroll, authenticate, self-remediate and self-service. It’s also easier for the help desk team to solve problems with Duo’s simple to use troubleshooting tools and detailed event logs. Last, it’s easier for security operations analysts to review and analyze threat data to resolve risk faster.

Control:

Duo's platform provides robust, integrated ITDR and ISPM capabilities powered by Cisco Identity Intelligence, which provides identity security visibility from posture risk to advanced security threats with analysis from across your identity stack. This comprehensive set of tools allows visibility into all identities and devices accessing corporate applications, enabling zero trust security for any user on any device and quickly mitigating risk.

How to protect & modernize Palo Alto GlobalProtect VPN logins with Duo

Integrating Duo SSO with Palo Alto’s GlobalProtect VPN is a straightforward process that involves a few key steps:

  1. Configure Duo SSO within the Duo Admin Panel, adding users and defining authentication methods.

  2. Connect Palo Alto’s GlobalProtect VPN via SAML 2.0 to Duo SSO.

  3. Create Duo Policy requirements for Cisco ASA or Cisco Firepower by application or group.

  4. Validate the sign-in experience and test with a pilot group.

More detailed instructions can be found on Duo Docs.

Modernize security without sacrificing productivity

Duo SSO quickly connects to your identity provider of choice and integrates with any SAML or OIDC application with dedicated integrations for:

With Cisco Duo Single Sign-On, you can easily grant frictionless access to applications while simultaneously enforcing strong zero trust measures across applications, people and devices. As hybrid and mobile workforces continue to grow, establishing a seamless way to manage multiplying endpoints will streamline security operations and minimize your attack surface.

Start closing your cybersecurity readiness gap. Contact Cisco Duo today.