GlobalProtect client on iPhone or iPad unable to connect when using SAML authentication
55062
Created On 08/23/19 22:55 PM - Last Modified 04/20/24 02:21 AM
Symptom
Global Protect agent on iOS iPad or iPhone configured with Pre-logon or User-logon using SAML authentication will briefly connect and then get disconnected with the error message: Connection Failed. The internet connection appears to be offline.
Environment
- PAN-OS 8.0 and above.
- GlobalProtect Agent 5.0 and above on iOS iPad or iPhone.
- GlobalProtect configured with Always-On connect method.
- SAML configured for client authentication.
Cause
- GlobalProtect iOS application only supports SAML authentication for on-demand connect method (Manual user-initiated connection) due to Apple VPN framework limitation.
- When Always-on mode is deployed to iOS devices, the Apple device blocks the internet connection and since SAML authentication requires internet, it will not work.
- When using a VPN profile in conjunction with MDM, the onDemandEnabled option behaves the same as the GP "Always-on" mode. Thus, SAML authentication is not supported on iOS devices when a VPN profile is used with onDemandEnabled = 1.
- Refer to Setup SAML Authentication for SAML setup
Resolution
To allow iOS iPhone or iPad to work with Global Protect, we need to have On-demand as the connect method. The best way to accomplish the same is to configure a new agent and move it to the top of the list as shown below:
- GUI: Network >GlobalProtect > Portal > (select the portal) > Agent > Add > User/User Group > Add > select iOS in the OS tab instead of Any.
- GUI: Network >GlobalProtect > Portal > (select the portal) > Agent > (select the new agent) > App > App Configuration > Select On-demand as Connect Method.
- Fill in other information as appropriate.
- GUI: Network >GlobalProtect > Portal > (select the portal) > Agent > (select the new agent) > Use Move Up for the new agent to be the first one in the list.
- Commit the changes.
Additional Information
With the above configuration, the new Agent will take care of iOS Pad and iPhone clients. All other clients will use the second Agent in the list and are not affected.