How to change GlobalProtect SAML Authentication from embedded browser to System Default Browser on Linux
49613
Created On 02/26/21 17:34 PM - Last Modified 04/28/21 19:18 PM
Objective
The objective of this article is to show how you can enable system default browser setting for GP SAML authentication for first time login. This setting can be enabled from the Portal itself, however, you have to connect first to the Portal to fetch the configuration and by default GP uses embedded browser.
Environment
Software Support
Starting with GlobalProtect™ app 5.2 with Content Release version 8284-6139 or later and running PAN-OS 8.1.17, 9.0.11, 9.1.6, and 10.0.0 releases.
Procedure
1. Open terminal and change the directory to /opt/paloaltonetworks/globalprotect
cd /opt/paloaltonetworks/globalprotect
2. Open pangps.xml file.
sudo vi pangps.xml
3. Add <default-browser>yes</default-browser> under <Settings>
Example of pangps.xml file after adding <default-browser>yes</default-browser> under <Settings>
4. Save the changes and reboot the machine.
5. After reboot when you enter GP Portal Address in GP UI and click Connect, GP will start using your system default browser instead of embedded webview.
Additional Information
If you have configured the GlobalProtect portal to authenticate end users through Security Assertion Markup Language (SAML) authentication, end users can now connect to the app or other SAML-enabled applications without having to re-enter their credentials, for a seamless single sign-on (SSO) experience. End users can benefit from using the default system browser for SAML authentication because they can leverage the same login for GlobalProtect with their saved user credentials on the default system browser such as Chrome, Firefox, or Safari.
In addition, on any browser that supports the Web Authentication (WebAuthn) API, you can use the Univeral 2nd Factor (U2F) security tokens such as YubiKeys for multi-factor authentication (MFA) to identify providers (ldPs) such as Onelogin or Okta.