How to troubleshoot when Global protect client does not connect prompt for SAML authentication for first connection when using Proxy

How to troubleshoot when Global protect client does not connect prompt for SAML authentication for first connection when using Proxy

4649
Created On 02/09/21 06:04 AM - Last Modified 04/11/25 19:17 PM


Symptom


  • GP client is being deployed in a large environment where GP client is required to use SAML authentication.
  • The client fails to pop up the browser window for IDP authentication. 
  • User environment does not allow DNS resolution for external names like that of IDP (Identity Providers) as explained in the diagram below.
GP client ————> Portal address (Local DNS can resolve the portal FQDN) 
GP client <———— Portal sends SAML redirect to IDP. Example Azure, okta etc.
GP client ————-> Send DNS query to configured DNS server and fails to get response.
  • The expectation is that GP client should send SAML connect request for IDP to proxy server configured in the client's default browser which it does not. 


Environment


  • GlobalProtect (GP) App installed on Windows for the first time
  • GP client version 5.2.x or above
  • GP Portal has the use default browser knob set to Yes.
  • Prisma Access or Strata Firewalls with GP configuration
  • User environment use Proxy for network connection

Cause


  1. GlobalProtect client cannot resolve the SAML IDP address and does not have default browser registry enabled yet
  2. This means it will not use the proxy file configured in browser to connect.
  3. This is captured in PanGPS logs
saml-auth-error is Failed to connect to authentication server. Retry after some time or contact your IT help desk to resolve the issue.
Note: The above connection is expected work if client uses a single proxy server IP/FQDN instead of using a Proxy Auto Configuration (PAC) file. The above error is only observed when using PAC file.

 

Resolution


  1. Connect the client by configuring using a single proxy server instead of using PAC file for the first time.  OR
  2.  Install the client via CLI using default browser option.
msiexec.exe /i GlobalProtect.msi DEFAULTBROWSER=YES
  1. When Installed the default-browser is displayed as "Yes" under registry settings of GlobalProtect.
  2. With the above registry value, The GP client should use the proxy file and applicable proxy server to send connect request to IDP using their default browser like IE instead of embedded browser.
DefaultBrowserRegistry


 

Additional Information


  • The Portal app config should still have default browser enabled. If not, client will remove the registry when it connects to the portal and downloads the configuration.
  • Another workaround is to add the DNS entry or forwarder for IDP URL on local systems. 


 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCoiCAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language