Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Single Sign-On (SSO) login prompt not seen during GlobalProtect... - Knowledge Base - Palo Alto Networks

Single Sign-On (SSO) login prompt not seen during GlobalProtect client authentication while using SAML authentication

75780
Created On 03/13/20 18:48 PM - Last Modified 03/17/20 18:01 PM


Symptom


  • GlobalProtect Portal/Gateway is configured with SAML authentication with Azure as the Identity Provider (IdP)
  • Once the user attempts to login to GlobaProtect, the GP client prompts with Single Sign-On (SSO) screen to authenticate with IdP during the 1st login attempt
  • Below SSO login screen is expected upon every login
User-added image
  • However, during subsequent login attempts, SSO login screen is not prompted during client authentication and user is able to login successfully (without authentication prompt) upon successful initial login


Environment


  • GlobalProtect Client: Windows/MacOS
  • Authentication: SAML
  • IdP: Microsoft Azure


Cause


  • URL being used for SSO and SLO on the SAML IdP Server profile are the same when IdP metadata is imported from Azure
 
User-added image


Resolution


1. Enable Single Logout under Authentication profile
 
User-added image

 
2. Configure below Azure SLO URL in the SAML Server profile on the firewall
    https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

 
User-added image


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP33CAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail