Seamless SAML Authentication with default-browser for GlobalProtect
14968
Created On 10/28/20 17:21 PM - Last Modified 04/29/22 20:29 PM
Symptom
In a case where both Portal and Gateway is using the SAML Authentication profile and Use Default Browser for SAML Authentication App option being set to Yes, users will be prompted with multiple default browser tabs to authenticate to Portal and Gateway respectively.
Environment
- PanOS 9.1.6 or later
- PanOS 10.0.0 or later
- Content Release version 8284-6139 or later
- GlobalProtect Client 5.2.x or later
- Windows (Chrome, Edge, Internet Explorer, and Firefox)
- macOS (Safari, Chrome, and Firefox)
- Linux (Firefox and Chrome)
- iOS (Safari)
- Android (Chrome)
Cause
- If SAML authentication is applied to both Portal and Gateway configurations, the users will be prompted twice to authenticate, and new tabs will be opened for each authentication.
- New tabs are also opened for events such as connecting to the Best Available gateway, refreshing the connection, disabling then enabling the GlobalProtect app, or disconnecting then reconnecting to the GlobalProtect app.
Resolution
- For seamless authentication, it is recommended to configure the Authentication Override cookies, where you would set the Portal to generate and accept cookies and the gateway to only accept cookies. This will allow the user to authenticate to the Portal, and then use the cookies to authenticate to the gateway.
- You can also deploy the Portal with certificate profile for client certificate authentication and gateway with SAML authentication, where user will be prompted for credentials. One caveat is that you will be required to deploy Portal and Gateway on separate IP addresses because if the Gateway is configured on the same IP address as the Portal, Gateway's SSL-related settings takes precedence.
Additional Information
Additional Information can be found about this feature in the following admin guide document: Default System Browser for SAML Authentication