Single Sign-On (SSO) login prompt not seen during GlobalProtect client authentication while using SAML authentication
75780
Created On 03/13/20 18:48 PM - Last Modified 03/17/20 18:01 PM
Symptom
- GlobalProtect Portal/Gateway is configured with SAML authentication with Azure as the Identity Provider (IdP)
- Once the user attempts to login to GlobaProtect, the GP client prompts with Single Sign-On (SSO) screen to authenticate with IdP during the 1st login attempt
- Below SSO login screen is expected upon every login
- However, during subsequent login attempts, SSO login screen is not prompted during client authentication and user is able to login successfully (without authentication prompt) upon successful initial login
Environment
- GlobalProtect Client: Windows/MacOS
- Authentication: SAML
- IdP: Microsoft Azure
Cause
- URL being used for SSO and SLO on the SAML IdP Server profile are the same when IdP metadata is imported from Azure
Resolution
1. Enable Single Logout under Authentication profile
2. Configure below Azure SLO URL in the SAML Server profile on the firewall
https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0