SAML authentication failed for (vsys) user with Reason: "User is not in allowlist" after upgrading firewall to 10.1.x
14030
Created On 08/17/22 02:01 AM - Last Modified 03/09/23 13:04 PM
Symptom
• After upgrading to PAN-OS 10.1.x, (vsys) users unable to connect GP VPN due to authentication failure.
• SAML SSO authentication failed for (vsys) user with Reason: "User is not in allowlist" in the system log/authd.log
Environment
- GlobalProtect with SAML Authentication Profile
- NGFW Firewall with (multi-vsys)
- SAML Authentication Profile in shared location
- Upgraded from PAN-OS 10.0 or below to PAN-OS 10.1.4
Cause
- In PAN-OS version 10.1 and later, the authentication request is sent with specific vsys (eg.,vsys2) and the authentication profile is defined in shared.
- Hence, the allow list could not find the authentication profile, and allow list check fails for vsys users after upgrading the firewall to 10.1.x
- Prior to PAN-OS version 10.1, the authentication request was made in a shared location.
- There is a known issue PAN-190454 and the target fix version is PAN-OS 10.1.9, 11.0.1, 10.2.4
Resolution
Upgrade to PAN-OS 10.1.9, 11.0.1, or 10.2.4 to address PAN-190454
Workaround
Move the SAML Auth Profile from the shared location to the corresponding vsys