GlobalProtect client on iPhone or iPad unable to connect when using SAML authentication

• PAN-OS 8.0 and above.
• GlobalProtect Agent 5.0 and above on iOS iPad or iPhone.
• GlobalProtect configured with Always-On connect method.
• SAML configured for client authentication.

• GlobalProtect iOS application only supports SAML authentication for on-demand connect method (Manual user-initiated connection) due to Apple VPN framework limitation.
• When Always-on mode is deployed to iOS devices, the Apple device blocks the internet connection and since SAML authentication requires internet, it will not work.
• When using a VPN profile in conjunction with MDM, the onDemandEnabled option behaves the same as the GP "Always-on" mode.  Thus, SAML authentication is not supported on iOS devices when a VPN profile is used with onDemandEnabled = 1.  
• Refer to Setup SAML Authentication  for SAML setup

To allow iOS iPhone or iPad to work with Global Protect, we need to have On-demand as the connect method. The best way to accomplish the same is to configure a new agent and move it to the top of the list as shown below:

1. GUI:  Network >GlobalProtect > Portal > (select the portal) > Agent > Add > User/User Group > Add > select iOS in the OS tab instead of Any.

2. GUI: Network >GlobalProtect > Portal > (select the portal) > Agent > (select the new agent) > App > App Configuration > Select On-demand as Connect Method.

3. Fill in other information as appropriate.
4. GUI: Network >GlobalProtect > Portal > (select the portal) > Agent > (select the new agent) >  Use Move Up for the new agent to be the first one in the list.
5. Commit the changes.