Cookie authentication is working on the GP portal but GP gateway prompts for user credentials

Cookie authentication is working on the GP portal but GP gateway prompts for user credentials

12736
Created On 08/02/24 13:22 PM - Last Modified 10/17/24 21:22 PM


Symptom


  • Cookie authentication for Global Protect Gateway is not working
  • SSO is enabled (Use Single Sign-on on GP Portal agent) 
  • SAML is used for Global Protect authentication
  • GP portal and gateway are configured to generate and accept cookies
  • SAML returns a Username Attribute format different from the SSO username format
  • GlobalProtect is configured to save username and password or save username only
  • A valid cookie for the SAML Attribute format exists on the user machine GlobalProtect folder
  • Per PanGPS Portal Login logs, the saved username (SAML Username Attribute) is being used for cookie authentication:
  • :691 ----Portal Login starts----
    :691 m_szSavedUserName is <SAML_Username_Attribute_format>
    :691 Portal user auth cookie file name is C:\Users\<SSO_username>\AppData\Local\Palo Alto Networks\GlobalProtect\PanPUAC_XXXX.dat
  • Per PanGPS Gateway Pre-Login logs, SSO is being used for cookie authentication and failing to open non-existent cookie file:
  • :322 SSO is enabled. Using SSO credential to login to gateway. :322 Portal user auth cookie file name is C:\Users\<SSO_username>\AppData\Local\Palo Alto Networks\GlobalProtect\PanPUAC_YYYYYY.dat :323 Failed to open file C:\Users\<SSO_username>\AppData\Local\Palo Alto Networks\GlobalProtect\PanPUAC_YYYYYY.dat



 

Environment


  • Prisma Access
  • SSO
  • SAML authentication
  • Cookies Authentication Override

Cause


  • The GlobalProtect Portal is using the saved username format to find the cookie.
  • GlobalProtect Gateway is using the SSO format.
  • The cookie only exist for saved username format. SSO is enabled by default.

Resolution


  1. Disable SSO. To do this:
  2. Go to Network > GlobalProtect > Portals > <portal-config> > Agent > <agent-config> > App
  3. Select No for Use Single Sign-on (Windows)
  4. Also Select No for Use Single Sign-on (macOS)
  5. Commit and push.

Note: If SAML authentication is used, GP SSO option should be disabled, regardless if SAML is considered as single sign-on solution
GlobalProtect cannot populate user credentials in a web-form (both Default browser and Embedded browser) presented by IdP.  

 

17 Oct 24 (Vijay) - Article updated with Praveen and published external.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HDnvCAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language