SAML "DUO" authentication fails on Linux GlobalProtect clients when manually deploying certificate to trusted endpoints
12757
Created On 01/18/21 20:21 PM - Last Modified 01/29/21 00:01 AM
Symptom
- SAML "DUO" authentication fails on Linux Global Protect when Trusted Endpoints manual certificate is deployed on the Linux machine.
- After entering the credential for SAML it fails to verify the trusted endpoint certificate installed on the machine.
Environment
- Linux Global Protect
- SAML Duo authentication
- Global Protect version 5.2.0 and higher
Cause
- The limitation with the embedded browser used by SAML in Linux machine, where Global Protect client is unable to verify the trusted endpoint certificate installed on the machine and authentication failed.
Resolution
- Configure default browser setting for SAML authentication
- Change "Use Default Browser for SAML Authentication" to 'Yes' under the Portal App configuration by navigating to Network > GlobalProtect > Portals > "Select your Portal" > Agent > "Select Client Config" > App and select OK
- On Linux endpoints, set the default-browser value to yes in the /opt/paloaltonetworks/globalprotect/pangps.xml pre-deployment configuration file under <settings>.
- After adding the default-browser value, you must reboot the Linux endpoint in order for the change to take effect.
- Now the Linux Global Protect client will use the default-browser for SAML Duo authentication and able to verify the trusted endpoint certificate installed on the machine and, authentication gets successful.