GlobalProtect client fails to connect to identity provider (IdP) when using Embedded browser for SAML

GlobalProtect client fails to connect to identity provider (IdP) when using Embedded browser for SAML

8225
Created On 03/26/24 00:58 AM - Last Modified 01/29/25 03:49 AM


Symptom


  • GlobalProtect client is configured to authenticate using SAML with embedded browser. 
  • The local network on client machine is not blocking anything but still the GP intermittently fails to connect.
  • The failure occurs because embedded browser cannot reach SAML  identity provider (IdP) and throws browser errors like "Can't reach this page"  Or "your internet access is blocked"
  • The issue is not observed if the user switches to use Default browser for SAML .
  • The connection eventually works when the users keeps retrying it multiple times. 
 
Error message

Error message 2
 
 
 

Environment


  • GlobalProtect (GP) App
  • SAML authentication with Embedded browser.
  • Version 6.0.8, 6.1.4, 6.2.2 or below.

Cause


This is caused by a known issue with the client during the SAML authentication message flow when using TLS1.3.
 

Resolution


  1. The issue is fixed under GPC-19745 from client version 6.0.10, 6.1.5,.6.2.3.
  2. Upgrade to the fixed versions of later will resolve the issue.

Workaround:

  1. The issue is not observed when using Default browser for SAML . That can be considered as a resolution/workaround.
  2. Another workaround is to manually disable the TLS 1.3 on the client machine. Reach out to the respective OS vendor to identify how.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OZYCA2&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language