GlobalProtect Authentication Settings

Overview

The AuthSettings class provides functionality to manage GlobalProtect authentication settings in Palo Alto Networks' Strata Cloud Manager. This class inherits from BaseObject and provides methods for creating, retrieving, updating, deleting, and reordering authentication settings objects for GlobalProtect mobile agent configurations.

Core Methods

Method	Description	Parameters	Return Type
`create()`	Creates a new authentication settings	`data: Dict[str, Any]`	`AuthSettingsResponseModel`
`get()`	Retrieves settings by ID	`object_id: str`	`AuthSettingsResponseModel`
`update()`	Updates existing settings	`object_id: str, data: Dict[str, Any]`	`AuthSettingsResponseModel`
`delete()`	Deletes authentication settings	`object_id: str`	`None`
`list()`	Lists settings with filtering	`folder: str`, `**filters`	`List[AuthSettingsResponseModel]`
`fetch()`	Gets settings by name and folder	`name: str`, `folder: str`	`AuthSettingsResponseModel`
`move()`	Reorders authentication settings	`move_data: Dict[str, Any]`	`None`

Authentication Settings Model Attributes

Attribute	Type	Required	Description
`name`	str	Yes	Name of the authentication settings (max 63 chars)
`authentication_profile`	str	Yes	Name of the authentication profile to use
`os`	OperatingSystem	No	Target operating system (defaults to "Any")
`user_credential_or_client_cert_required`	bool	No	Whether user credentials or client certificate is required
`folder`	str	Yes	Must be "Mobile Users" for all operations

Exceptions

Exception	HTTP Code	Description
`InvalidObjectError`	400	Invalid settings data or format
`MissingQueryParameterError`	400	Missing required parameters
`NameNotUniqueError`	409	Authentication settings name already exists
`ObjectNotPresentError`	404	Authentication settings not found
`AuthenticationError`	401	Authentication failed
`ServerError`	500	Internal server error

Basic Configuration

The AuthSettings service can be accessed using either the unified client interface (recommended) or the traditional service instantiation.

Unified Client Interface (Recommended)

from scm.client import ScmClient
# Initialize clientclient = ScmClient(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id"
)
# Access the AuthSettings service directly through the client# No need to create a separate AuthSettings instanceauth_settings = client.auth_settings

Traditional Service Instantiation (Legacy)

from scm.client import Scm
from scm.config.mobile_agent import AuthSettings
# Initialize clientclient = Scm(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id"
)
# Initialize AuthSettings object explicitlyauth_settings = AuthSettings(client)

Note

While both approaches work, the unified client interface is recommended for new development as it provides a more streamlined developer experience and ensures proper token refresh handling across all services.

Usage Examples

Creating Authentication Settings

from scm.client import ScmClient
# Initialize clientclient = ScmClient(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id"
)
# Prepare authentication settings configurationauth_settings_config = {
"name": "windows_auth",
"authentication_profile": "windows-sso-profile",
"os": "Windows",
"user_credential_or_client_cert_required": True,
"folder": "Mobile Users" # Must be "Mobile Users"
}
# Create the authentication settingsnew_auth_settings = client.auth_settings.create(auth_settings_config)
print(f"Created authentication settings: {new_auth_settings.name}")
# Another example for a different operating systemios_auth_config = {
"name": "ios_auth",
"authentication_profile": "mobile-cert-auth",
"os": "iOS",
"user_credential_or_client_cert_required": False,
"folder": "Mobile Users"
}
# Create iOS authentication settingsios_auth_settings = client.auth_setting.create(ios_auth_config)

Retrieving Authentication Settings

# Fetch by name and folder (folder must be "Mobile Users")auth_settings = client.auth_setting.fetch(name="windows_auth", folder="Mobile Users")
print(f"Found authentication settings: {auth_settings.name}")
# Get by IDauth_settings_by_id = client.auth_setting.get(auth_settings.id)
print(f"Retrieved authentication settings: {auth_settings_by_id.name}")

Updating Authentication Settings

# Prepare update dataupdate_data = {
"name": "windows_auth_updated",
"authentication_profile": "updated-profile",
"user_credential_or_client_cert_required": False
}
# Get the existing settingsauth_settings = client.auth_setting.fetch(name="windows_auth", folder="Mobile Users")
# Update the settingsupdated_settings = client.auth_setting.update(auth_settings.id, update_data)
print(f"Updated authentication settings: {updated_settings.name}")

Listing Authentication Settings

# List all authentication settings (always from "Mobile Users" folder)all_settings = client.auth_setting.list()
# Process resultsfor setting in all_settings:
print(f"Name: {setting.name}, OS: {setting.os}, Profile: {setting.authentication_profile}")

Ordering Authentication Settings

The GlobalProtect authentication settings evaluation order is important, as settings are evaluated from top to bottom. The move() method allows you to reorder authentication settings in the configuration.

# Move a settings entry to the top of the listtop_move_config = {
"name": "windows_auth",
"where": "top"
}
client.auth_setting.move(top_move_config)
# Move a settings entry to the bottom of the listbottom_move_config = {
"name": "android_auth",
"where": "bottom"
}
client.auth_setting.move(bottom_move_config)
# Move a settings entry before another entrybefore_move_config = {
"name": "ios_auth",
"where": "before",
"destination": "android_auth"
}
client.auth_setting.move(before_move_config)
# Move a settings entry after another entryafter_move_config = {
"name": "browser_auth",
"where": "after",
"destination": "ios_auth"
}
client.auth_setting.move(after_move_config)

Controlling Pagination with max_limit

The SDK supports pagination through the max_limit parameter, which defines how many objects are retrieved per API call. By default, max_limit is set to 2500. The API itself imposes a maximum allowed value of 5000.

Example:

from scm.client import ScmClient
from scm.config.mobile_agent import AuthSettings
# Initialize clientclient = ScmClient(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id"
)
# Two options for setting max_limit:# Option 1: Create a custom AuthSettings instance with max_limitauth_settings_service = AuthSettings(client, max_limit=1000)
all_settings1 = auth_settings_service.list()
# Option 2: Use the unified client interface directly (uses default max_limit of 2500)all_settings2 = client.auth_setting.list()

Deleting Authentication Settings

# Get the authentication settingsauth_settings = client.auth_setting.fetch(name="windows_auth", folder="Mobile Users")
# Delete the settings by IDclient.auth_setting.delete(auth_settings.id)
print(f"Deleted authentication settings: {auth_settings.name}")

Managing Configuration Changes

Performing Commits

# Prepare commit parameterscommit_params = {
"folders": ["Mobile Users"],
"description": "Updated GlobalProtect authentication settings",
"sync": True,
"timeout": 300 # 5 minute timeout
}
# Commit the changesresult = client.commit(**commit_params)

print(f"Commit job ID: {result.job_id}")

Monitoring Jobs

# Get status of specific jobjob_status = client.get_job_status(result.job_id)
print(f"Job status: {job_status.data[0].status_str}")
# List recent jobsrecent_jobs = client.list_jobs(limit=10)
for job in recent_jobs.data:
print(f"Job {job.id}: {job.type_str} - {job.status_str}")

Error Handling

from scm.client import ScmClient
from scm.exceptions import (
InvalidObjectError,
MissingQueryParameterError,
NameNotUniqueError,
ObjectNotPresentError
)
# Initialize clientclient = ScmClient(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id"
)

try:
# Create authentication settings
auth_settings_config = {
"name": "windows_auth",
"authentication_profile": "windows-sso-profile",
"os": "Windows",
"user_credential_or_client_cert_required": True,
"folder": "Mobile Users"
}

new_auth_settings = client.auth_setting.create(auth_settings_config)

# Commit changes
result = client.commit(
folders=["Mobile Users"],
description="Added GlobalProtect authentication settings",
sync=True
)

# Check job status
status = client.get_job_status(result.job_id)

except InvalidObjectError as e:
print(f"Invalid authentication settings data: {e.message}")
except NameNotUniqueError as e:
print(f"Authentication settings name already exists: {e.message}")
except ObjectNotPresentError as e:
print(f"Authentication settings not found: {e.message}")
except MissingQueryParameterError as e:
print(f"Missing parameter: {e.message}")

Best Practices

Client Usage
- Use the unified client interface (client.auth_setting) for streamlined code
- Create a single client instance and reuse it across your application
- Perform commit operations directly on the client object (client.commit())
- For custom max_limit settings, create a dedicated service instance if needed
Folder Management
- Always use "Mobile Users" as the folder for authentication settings
- Remember that the folder is required for create operations
Error Handling
- Implement comprehensive error handling for all operations
- Check job status after commits
- Handle specific exceptions before generic ones
- Log error details for troubleshooting
Authentication Order
- Consider the evaluation order of authentication settings
- Use the move() method to ensure proper ordering of settings
- Place more specific OS settings before more general ones
Performance
- Reuse client instances
- Implement proper retry mechanisms
- Cache frequently accessed objects
Security
- Follow the least privilege principle
- Validate input data
- Use secure connection settings
- Implement proper authentication handling

Full Script Examples

Refer to the auth_settings.py example.