MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 5 additions & 5 deletions b/‎.openpublishing.redirection.json
Lines changed: 5 additions & 5 deletions
diff --git a/‎articles/active-directory/saas-apps/palo-alto-networks-globalprotect-tutorial.md
Lines changed: 170 additions & 0 deletions b/‎articles/active-directory/saas-apps/palo-alto-networks-globalprotect-tutorial.md
Lines changed: 170 additions & 0 deletions
@@ -7200,6 +7200,11 @@
       "redirect_url": "/azure/active-directory/saas-apps/airwatch-tutorial",
       "redirect_document_id": true
     },
+    {
+      "source_path": "articles/active-directory/paloaltoglobalprotect-tutorial.md",
+      "redirect_url": "/azure/active-directory/saas-apps/palo-alto-networks-globalprotect-tutorial",
+      "redirect_document_id": true
+    },
     {
       "source_path": "articles/active-directory/active-directory-saas-alcumus-info-tutorial.md",
       "redirect_url": "/azure/active-directory/saas-apps/alcumus-info-tutorial",
@@ -8735,11 +8740,6 @@
       "redirect_url": "/azure/active-directory/saas-apps/paloaltoadmin-tutorial",
       "redirect_document_id": true
     },
-    {
-      "source_path": "articles/active-directory/active-directory-saas-paloaltoglobalprotect-tutorial.md",
-      "redirect_url": "/azure/active-directory/saas-apps/paloaltoglobalprotect-tutorial",
-      "redirect_document_id": true
-    },
     {
       "source_path": "articles/active-directory/active-directory-saas-paloaltonetworks-aperture-tutorial.md",
       "redirect_url": "/azure/active-directory/saas-apps/paloaltonetworks-aperture-tutorial",
 
@@ -0,0 +1,170 @@
+---
+title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Palo Alto Networks - GlobalProtect | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Palo Alto Networks - GlobalProtect.
+services: active-directory
+documentationCenter: na
+author: jeevansd
+manager: mtillman
+ms.reviewer: barbkess
+
+ms.assetid: 03bef6f2-3ea2-4eaa-a828-79c5f1346ce5
+ms.service: active-directory
+ms.subservice: saas-app-tutorial
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.devlang: na
+ms.topic: tutorial
+ms.date: 08/23/2019
+ms.author: jeedes
+
+ms.collection: M365-identity-device-management
+---
+
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Palo Alto Networks - GlobalProtect
+
+In this tutorial, you'll learn how to integrate Palo Alto Networks - GlobalProtect with Azure Active Directory (Azure AD). When you integrate Palo Alto Networks - GlobalProtect with Azure AD, you can:
+
+* Control in Azure AD who has access to Palo Alto Networks - GlobalProtect.
+* Enable your users to be automatically signed-in to Palo Alto Networks - GlobalProtect with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis).
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Palo Alto Networks - GlobalProtect single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Palo Alto Networks - GlobalProtect supports **SP** initiated SSO
+* Palo Alto Networks - GlobalProtect supports **Just In Time** user provisioning
+
+## Adding Palo Alto Networks - GlobalProtect from the gallery
+
+To configure the integration of Palo Alto Networks - GlobalProtect into Azure AD, you need to add Palo Alto Networks - GlobalProtect from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Palo Alto Networks - GlobalProtect** in the search box.
+1. Select **Palo Alto Networks - GlobalProtect** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD single sign-on for Palo Alto Networks - GlobalProtect
+
+Configure and test Azure AD SSO with Palo Alto Networks - GlobalProtect using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Palo Alto Networks - GlobalProtect.
+
+To configure and test Azure AD SSO with Palo Alto Networks - GlobalProtect, complete the following building blocks:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+    1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+    1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Palo Alto Networks - GlobalProtect SSO](#configure-palo-alto-networks---globalprotect-sso)** - to configure the single sign-on settings on application side.
+    1. **[Create Palo Alto Networks - GlobalProtect test user](#create-palo-alto-networks---globalprotect-test-user)** - to have a counterpart of B.Simon in Palo Alto Networks - GlobalProtect that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the [Azure portal](https://portal.azure.com/), on the **Palo Alto Networks - GlobalProtect** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+
+   ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+
+	a. In the **Sign on URL** text box, type a URL using the following pattern:
+    `https://<Customer Firewall URL>`
+
+    b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+    `https://<Customer Firewall URL>/SAML20/SP`
+
+	> [!NOTE]
+	> These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Palo Alto Networks - GlobalProtect Client support team](https://support.paloaltonetworks.com/support) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section,  find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+
+	![The Certificate download link](common/metadataxml.png)
+
+1. On the **Set up Palo Alto Networks - GlobalProtect** section, copy the appropriate URL(s) based on your requirement.
+
+	![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+   1. In the **Name** field, enter `B.Simon`.  
+   1. In the **User name** field, enter the [email protected]. For example, `[email protected]`.
+   1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+   1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Palo Alto Networks - GlobalProtect.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Palo Alto Networks - GlobalProtect**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+
+   ![The "Users and groups" link](common/users-groups-blade.png)
+
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+
+	![The Add User link](common/add-assign-user.png)
+
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Palo Alto Networks - GlobalProtect SSO
+
+1. Open the Palo Alto Networks Firewall Admin UI as an administrator in another browser window.
+
+2. Click on **Device**.
+
+	![Configure Palo Alto Single Sign-on](./media/paloaltoglobalprotect-tutorial/tutorial_paloaltoadmin_admin1.png)
+
+3. Select **SAML Identity Provider** from the left navigation bar and click "Import" to import the metadata file.
+
+	![Configure Palo Alto Single Sign-on](./media/paloaltoglobalprotect-tutorial/tutorial_paloaltoadmin_admin2.png)
+
+4. Perform following actions on the Import window
+
+	![Configure Palo Alto Single Sign-on](./media/paloaltoglobalprotect-tutorial/tutorial_paloaltoadmin_admin3.png)
+
+	a. In the **Profile Name** textbox, provide a name e.g Azure AD GlobalProtect.
+
+	b. In **Identity Provider Metadata**, click **Browse** and select the metadata.xml file which you have downloaded from Azure portal
+
+	c. Click **OK**
+
+### Create Palo Alto Networks - GlobalProtect test user
+
+In this section, a user called B.Simon is created in Palo Alto Networks - GlobalProtect. Palo Alto Networks - GlobalProtect supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Palo Alto Networks - GlobalProtect, a new one is created after authentication.
+
+## Test SSO 
+
+In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+
+When you click the Palo Alto Networks - GlobalProtect tile in the Access Panel, you should be automatically signed in to the Palo Alto Networks - GlobalProtect for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+
+## Additional resources
+
+- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list)
+
+- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis)
+
+- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)
+
+- [Try Palo Alto Networks - GlobalProtect with Azure AD](https://aad.portal.azure.com/)