GlobalProtect Single Sign-Out (SLO) does not work intermittently

GlobalProtect Single Sign-Out (SLO) does not work intermittently

773
Created On 10/18/24 06:10 AM - Last Modified 10/23/25 20:14 PM


Symptom


GlobalProtect's Single Sign-Out (SLO) sometimes works and sometimes doesn't.

Environment


  • GlobalProtect
  • Prisma Access Mobile Users
  • SAML authentication

Cause


The GPGW does not create SLO when the gateway authentication happens with a cookie. It is the expected behavior. Since the GPGW does not process the SAML request/response at login, there is no information to do SLO.

 

When filtering the GlobalProtect log with '( stage eq 'connected' ) or  ( stage eq 'logout' )', it indicates when the user connect to GPGW with SAML or Cookie.Screenshot 2024-10-18 at 15.08.55.png 

Resolution


If the SLO is the customer's absolute requirement, disable the authentication cookie override. This causes GlobalProtect users to face SAML authentication, which is performed twice for the portal and the gateway every time they connect to GlobalProtect.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HEIyCAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language