When using SAML authentication, GlobalProtect prompts for authentication after reboot

When using SAML authentication, GlobalProtect prompts for authentication after reboot

7642
Created On 07/18/22 23:16 PM - Last Modified 03/19/24 08:46 AM


Symptom


  • SAML Authentication method is used for GlobalProtect Clients
  • Users are prompted for credentials when the PC is rebooted or woken from sleep.

Environment


  • Palo Alto Firewalls or Prisma Access 
  • Supported PAN-OS
  • GlobalProtect (GP) Connect-method: User-logon (Always On)
  • SAML authentication

Cause


  • When the laptop is rebooted (or) woken from sleep the GP portal is not reachable immediately.
  • In such cases if SSO is enabled, it will overwrite the GP saved username, and try to do lookup for cached config based on the windows login username.
  • Hence the recommendation is not to enable SSO with SAML.
  • Same behavior is applicable if authentication override cookies are accepted on the GP Gateway.

Resolution


Below are the 4 configuration settings that should be configured to help achieve this:
  1. Generate and accept cookie with a cookie lifetime of 90days was enabled on the Portal side
GUI: Network Tab > GlobalProtect > Portals > GlobalProtect_Portal > Agent > Select the specific agent config 
Portal config - panorama managed
 
  1. Only Accept cookie for a lifetime of 90days was enabled for the Gateway
GUI: Network > GlobalProtect > Gateways > GlobalProtect_External_Gateway > Agent > Select the specific agent config > Authentication Override
Gateway config - panorama managed
 
  1. Single Sign-on for Windows and MAC is was unchecked
GUI: Network > GlobalProtect > Portals > GlobalProtect_Portal > Agent tab > Select the specific agent config > App Tab 
App settings config - panorama managed
  1. Save user credentials is set to Save username only
GUI: Network > GlobalProtect > Portals > GlobalProtect_Portal > Agent tab > Select the specific agent config 
Save User creds config - panorama managed
The settings in a Cloud-managed Prisma Access environment are as follows:
  1. Generate and accept cookie with a cookie lifetime of 90days was enabled on the Portal side
GUI:  Service Setup > GlobalProtect Tab  > GlobalProtect App > App Settings > Select the desired app config > Authentication Override
image
 
  1. Only Accept cookie for a lifetime of 90days was enabled for the Gateway
GUI: Service Setup >> GlobalProtect Tab  >> GlobalProtect App >> Tunnel Settings >> Select the desired tunnel config >> Authentication Override
Gateway config - cloud managed
 
  1. Single Sign-on for Windows and MAC is was unchecked
GUI: Service Setup > GlobalProtect Tab  > GlobalProtect App > App Settings > Select the desired app config > App Configuration > Show Advanced Options > Authentication
App settings config - cloud managed
 
  1. Save user credentials is set to Save username only
 GUI: Service Setup >  GlobalProtect Tab  > GlobalProtect App > App Settings > Select the desired app config > App Configuration > Show Advanced Options > Authentication
Save User creds config - cloud managed

Additional Information


How the authentication flow would look like when both SAML and GlobalProtect SSO are enabled
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CqbnCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail