Connect Before Logon: SAML Authentication Leading to White Blank Screen

• Customer has configured Connect Before Logon (CBL) for GlobalProtect
• Using SAML authentication for CBL 
• After successful authentication via SAML IDP, users are redirected to a White blank page.

• Palo Alto Firewalls
• Supported PAN-OS versions
• GlobalProtect with Connect Before Logon (CBL) enabled using SAML authentication
• Latest Windows 10 and all Windows 11 clients

CBL with SAML Limitation: 
Connect Before Logon with SAML authentication method is supported on all GlobalProtect versions when using the older embedded webview (oew). However, blank screen and JavaScript errors may be intermittently displayed when loading certain external IdP URLs in the Connect Before Logon mode. This issue arises from the fact that the older embedded webview uses the legacy IE browser, which has been deprecated in Windows 11. The alternative Edge browser-based WebView2 does not support Connect Before Logon method. GlobalProtect will continue to use the legacy IE-based older embedded webview (oew) with the above limitation.

Technical Explanation: The current GlobalProtect implementation relies on the MSHTML/Trident engine (the underlying webview platform used by IE 11 browser) during SAML authentication for Connect Before Logon (CBL). Microsoft officially retired the Internet Explorer (IE11) desktop application on June 15, 2022. However, the underlying MSHTML/Trident Engine is supported through 2029. 

Reference: IE 11 Retirement: What Does This Mean for Microsoft Access Apps?

NOTE: In documentation and threads, the "older embedded WebView (oew)" or "IE 11 browser" is casually or interchangeably used to refer to the MSHTML/Trident engine, which could create confusion that GP App supports the deprecated IE 11 browser. 

NOTE: If CBL SAML has been working in an environment, but the SAML IdP changes the code or content that is not compatible with MSHTML/Trident (or IE11), the GP App will display a blank page or loading screen. 

NOTE: In some cases, GP App logs show a loading script error but in many cases, it does not show any error
 

From GP App perspective, it's a limitation and if the SAML IdP sends content (e.g. Javascript) that's not compatible with MSHTML/Trident (or IE11).

Check with SAML IdP if it can support content for MSHTML/Trident (or IE 11)

Or use CBL with other authentication methods like LDAP/RADIUS or Certificate Auth Smart Card. 
Or use Pre-logon connect method with a machine certificate.