Rublon

Secure Remote Access

By

Last updated on June 11, 2025

Overview

The purpose of this document is to enable Rublon Multi-Factor Authentication (MFA) for users logging in to Palo Alto GlobalProtect VPN. To achieve that using SAML, you have to use Rublon Access Gateway. All required steps will be described in this document.

Demo Video

Supported Authentication Methods

Authentication Method Supported Comments
Mobile Push N/A
WebAuthn/U2F Security Key N/A
Passcode N/A
SMS Passcode N/A
SMS Link N/A
Phone Call N/A
QR Code N/A
Email Link N/A
YubiKey OTP Security Key N/A

Before You Start

You need to install and configure Rublon Access Gateway itself before configuring Palo Alto GlobalProtect VPN to work with it. Please read the Rublon Access Gateway documentation and follow the steps in the Installation and Configuration sections. Afterward, continue with this document.

Configuration

Follow these steps to enable Rublon MFA for Palo Alto GlobalProtect VPN.

Configure SAML Profile

1. Log in to the Palo Alto administrator panel.

2. Select the Device tab and then select Server Profiles → SAML Identity Provider.

3. Click Import at the bottom of the page and fill in the form. Refer to the following image and table

Profile NameA descriptive name for your profile, e.g., RublonAccessGateway.
Identity Provider MetadataUpload the Rublon Access Gateway metadata file in XML format.

You can get the metadata.xml file from Applications → Information for configuring applications with Rublon Access Gateway → DOWNLOAD METADATA.
Validate Identity Provider CertificateCheck.
Validate Metadata SignatureUncheck.
Maximum Clock Skew (sec)The maximum allowed difference in system clocks between the IdP server and Palo Alto. The default value is 60 seconds and we recommend you do not to change it.

3. Click OK to finish configuring your SAML identity provider server profile.

Configure Authentication Profile

1. Go to Device → Authentication Profile.

2. Click Add to add a new authentication profile.

3. In Name, set a name for your Authentication Profile.

IMPORTANT

Rublon will display this name on the Rublon Prompt and Mobile Push authentication requests during every login, so we recommend you set a descriptive name such as Palo Alto GlobalProtect.

4. Set Type to SAML.

5. In IdP Server Profile, select the SAML Identity Provider profile you have created before.

6. Leave Certificate for Signing Requests as None.

7. We recommend you keep the Enable Single Logout option unchecked. However, if you want users who log out of GlobalProtect to also be logged out of other SSO applications, you can check it.

8. Click the dropdown list and select New Certificate Profile.

9. A new window will open. In Name, enter a descriptive name for your profile, e.g., Palo Alto GlobalProtect.

10. Leave Username Field as None.

11. Under CA Certificates, click Add. Then, select the certificate imported from Rublon Access Gateway in the CA Certificate and OCSP Verify Certificate fields and click OK.

12. On the Authentication Profile window, click Advanced. In the Allow List, click the Add button and select all.

13. Click OK to save your authentication profile.

Configure GlobalProtect Gateway

1. Select the Network tab.

2. Go to GlobalProtect → Gateways.

3. Click your GlobalProtect Gateway profile name to open its properties.

4. In the newly-opened window, select the Authentication tab.

5. Depending on your configuration, click the current entry under Client Authentication to modify it or create a new one by clicking the Add button.

6. Fill in the Client Authentication form with the following information.

NameEnter a descriptive name, e.g., GlobalProtect_Rublon.
OSAny
Authentication ProfileSelect the Authentication Profile you have created before.

7. Click OK to save Client Authentication information.

8.  (Optional) These settings may be useful for users already connected to the VPN to limit the number of requests sent by Rublon when trying to reconnect.

  1. Select the Agent tab, and then select the Client Settings tab.
  2. Select the profile to enter its properties, and go to Authentication Override.
  3. Check both options:
  • Generate cookie for authentication override
  • Accept cookie for authentication override (this option requires you to select the SSL certificate imported to GlobalProtect)
  1. Click OK to save changes.

9.  Click OK to save your choices and finish your GlobalProtect Gateway configuration.

Configure GlobalProtect Portal

IMPORTANT

This section is optional.

We recommend you leave the GlobalProtect Portal to use standard authentication methods (LDAP, AD, Local user base, etc.) only.

The GlobalProtect Gateway configuration is sufficient for Rublon 2FA to work properly. Configuring GlobalProtect Portal for Rublon 2FA is optional. If you decide to secure the GlobalProtect Portal with Rublon, users may have to authenticate twice when accessing the GlobalProtect Portal, which may disrupt the end-user experience.

1. Select the Network tab and then go to GlobalProtect → Portals.

2. Click your GlobalProtect Portal to open the properties window.

3. In the new window, select the Authentication tab and click the current entry under Client Authentication to modify it or create a new one by clicking the Add button.

4. Fill in the form. Refer to the following image and table.

NameEnter a descriptive name, e.g., GlobalProtect_Rublon
OSAny
Authentication ProfileSelect the Authentication Profile you have created before.

5. Click OK to save the settings. Then, click OK again to finish your GlobalProtect Portal configuration.

Commit Your Configuration

1. Click Commit in the upper-right corner of the administrator panel.

2. A new window will open for you to preview changes.

3. Click Commit to make your changes take effect.

Add Application to Rublon Access Gateway

1. Go to Device → Authentication Profile.

2. Click Metadata in the Authentication column for your newly-created authentication profile.

3. A new window will appear. In Service, select management.

4. In Type, choose IP or Hostname and enter the public IP or Hostname of your GlobalProtect VPN.

Note

You do not have to specify a port unless your GlobalProtect VPN uses a different port than the default 443. If you do not specify a port, port 443 (HTTPS) will be used by default.

5. Click OK. A new Metadata file in XML format will be created and downloaded to your computer. The file name will be the same as the name of your Authentication Profile.

6. In Rublon Access Gateway, go to Applications → Import application metadata.

7. In Application Name, set the name for your application.

Note: This name must be the same as the name of the authentication profile created in Palo Alto GlobalProtect. This is very important. Otherwise, an error will pop up preventing you from adding a new application.

8. Select the Metadata file you downloaded from Palo Alto and click Upload.

9. Your application will appear on the applications list under the All applications subtab.

Log in to Palo Alto GlobalProtect with Rublon MFA

This example depicts Rublon 2FA while using the Palo Alto VPN client. We assume you have already installed and configured the VPN client. To download the client, log in to the GlobalProtect website and download the VPN client. Note that if you configured the GlobalProtect Portal for Rublon 2FA, you will be required to undergo Rublon 2FA authentication before downloading the client.

To log in to Palo Alto GlobalProtect with Rublon 2FA (and test your configuration):

1. Open your VPN client, enter your portal address, and click Connect.

2. A Rublon Prompt will appear. Provide your username and password and click SIGN IN.

3. A window will appear with a selection of various 2FA options from Rublon. Let’s choose Mobile Push.

4. You will be sent a push notification. Tap APPROVE.

5. You will get connected to Palo Alto GlobalProtect.

Troubleshooting

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Access Gateway

Rublon Access Gateway – Integrations