MacOS users are unable to authenticate with latest OKTA SAML on the first attempt. Second attempt authentication is successful.

MacOS users are unable to authenticate with latest OKTA SAML on the first attempt. Second attempt authentication is successful.

2160
Created On 08/10/23 05:18 AM - Last Modified 05/24/24 20:13 PM


Symptom


  • Only macOS with GlobalProtect App is impacted.
  • Only the first SAML auth attempt fails, subsequent attempts are successful.
  • SAML login to Portal with Safari/Chrome browser works.

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • macOS with GlobalProtect (GP) App
  • SAML Auth 

Cause


  • The issue is on the SAML IDP side where it's not including Relay State information in the SAML Response (for example, OKTA IDP not sending RelayState when the binding method is POST)
  • The issue can be narrowed down by taking the Fiddler capture or SAML tracer.
  • The SAML Request sent by the GP Portal Firewall (#7422) has Relay State information:

image.png

  • The SAML Response sent by the SAML IdP (#7477) has no Relay State information:

image.png

Resolution


  1. As a workaround, OKTA IDP recommends using the REDIRECT binding method on the SAML Service Provider (GlobalProtect Portal SAML authentication profile) 
  2. Commit the configuration changes.
GUI: Device > Server Profiles > SAML Identity Provider
SAML Server Profile

 

 
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000Xg3LCAS&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail