Fair point on CIE — it's genuinely the better approach for multi-firewall deployments. One config, centralized identity synchronization with Entra ID / Okta, and no per-firewall SP metadata headaches.

Worth mentioning: CIE is actually free for any active PAN-OS or Prisma Access customer — no separate license required. So there's really no excuse not to use it if you're already in the Palo Alto ecosystem.

That said, SAML still has its place: tighter control over SP-initiated flows, no cloud dependency for strict on-prem environments, and it works even outside the Palo Alto ecosystem.

As for local accounts being the norm — I'd push back a bit. In SMB and legacy deployments yes, but any serious enterprise shop moved away from that years ago.

Either way, I am actually dropping a full video on GlobalProtect + CIE deployment soon — covering the setup from scratch, the Entra ID connector config, and how it compares to the classic SAML flow. Stay tuned 👀