Single Sign-On (SSO) login prompt not seen during GlobalProtect client authentication while using SAML authentication

Single Sign-On (SSO) login prompt not seen during GlobalProtect client authentication while using SAML authentication

5244
Created On 03/13/20 18:48 PM - Last Updated 03/17/20 18:01 PM


Symptom
  • GlobalProtect Portal/Gateway is configured with SAML authentication with Azure as the Identity Provider (IdP)
  • Once the user attempts to login to GlobaProtect, the GP client prompts with Single Sign-On (SSO) screen to authenticate with IdP during the 1st login attempt
  • Below SSO login screen is expected upon every login
User-added image
  • However, during subsequent login attempts, SSO login screen is not prompted during client authentication and user is able to login successfully (without authentication prompt) upon successful initial login


Environment
  • GlobalProtect Client: Windows/MacOS
  • Authentication: SAML
  • IdP: Microsoft Azure


Cause
  • URL being used for SSO and SLO on the SAML IdP Server profile are the same when IdP metadata is imported from Azure
 
User-added image


Resolution
1. Enable Single Logout under Authentication profile
 
User-added image

 
2. Configure below Azure SLO URL in the SAML Server profile on the firewall
    https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

 
User-added image


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP33CAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments