Connect Before Logon: SAML Authentication Leading to White Blank Screen

• Customer has configured Connect Before Logon (CBL).
• Using SAML for authentication with GlobalProtect.
• After successful authentication via SAML IDP, users are redirected to a White blank page.

• Palo Alto Firewalls
• Supported PAN-OS versions
• GlobalProtect with Connect Before Logon (CBL) enabled
• Latest Windows 10 and all Windows 11 clients

CBL with SAML Limitation: 
Connect Before Logon with SAML authentication method is supported on all GlobalProtect versions when using the older embedded webview (oew). However, blank screen and JavaScript errors may be intermittently displayed when loading certain external IdP URLs in the Connect Before Logon mode. This issue arises from the fact that the older embedded webview uses the legacy IE browser, which has been deprecated in Windows 11. The alternative Edge browser-based WebView2 does not support Connect Before Logon method. GlobalProtect will continue to use the legacy IE-based older embedded webview (oew) with the above limitation.

NOTE: If CBL SAML has been working in an environment, but the SAML IdP changes the code or content that is not compatible with IE 11 (older embedded webview), the GP App will display a blank page. 

From GP App perspective, it's a limitation if the SAML IdP sends content (e.g. Javascript) that's not compatible with IE11 (older embedded webview) , and there is no solution or workaround.