Cloud Authentication Service SSO Failure – Invalid Opaque Data

• GlobalProtect user fails to authenticate using CAS SSO to GlobalProtect portal.
• The below message is seen in the logs:

  2023/11/22 08:51:03 critical auth    AuthPr cas-tok 0  Failed to parse CAS token from client 'x.x.x.x' from 'https://cloud-auth.nl.apps.paloaltonetworks.com/auth' with auth_session_id 'c5ab20f9-40c0-48de-881c-32409837daaa' : Failed to validate the opaque 

• GlobalProtect
• PAN-OS
• CAS SSO

Cloud Authentication Service (CAS) SSO authentication failure due to an invalid opaque data issue occurs when a GlobalProtect (GP) user’s IP address changes. This behavior is expected as part of the product's stateless cloud authentication design.

However, when the client machine is managed by DHCP, an IP address change is expected. If an IP change happens during cloud authentication, the authentication opaque data may be mistakenly rejected due to security measures, leading to authentication failures.

1. Upgrade to a Preferred PAN-OS version with the fix: A software fix, PAN-239703, has been introduced to add new CLI commands to address this issue. Upgrade to a preferred PAN-OS version equal to or higher than 10.2.4-h12, 10.2.8, 10.2.11, 11.0.5, 11.1.3, or 11.2.0.
2. Disable Remote Host Checking: Run the following command to prevent authentication failures caused by DHCP-managed client machines changing IP addresses:

   > set auth remote-host-check no