Captive portal is not redirecting to IdP while authentiacting to CIE with CAS

Captive portal is not redirecting to IdP while authentiacting to CIE with CAS

861
Created On 08/29/23 14:54 PM - Last Modified 10/21/25 20:33 PM


Symptom


Screenshot 2023-08-30 at 12.12.29.png
 

Environment


  • PANOS 10.1+
  • Captive Portal with user identification via Cloud Identity Engine (CIE)
  • Authentication with Cloud Authentication Service (CAS)

Cause


  • The request to CIE also matches the authentication rule "DEF-CP" and it never reaches to the CIE.

Resolution


1. To avoid the situation, create custom URL category with CIE URL "*.apps.paloaltonetworks.com"

 

Screenshot 2023-08-30 at 12.18.06.png

 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
2. Create authentication rule with Authentication Enforcement set to 'default-no-captive-portal

 

Screenshot 2023-08-30 at 12.08.48.png

 

 
 
 
 
 
3.  Attach the custom URL category created earlier, which includes the CIE URL.

 

Screenshot 2023-08-30 at 12.10.19.png
 

Additional Information


To allow SAML authentication, it's important to remember to exclude traffic to the Identity Provider (IdP), as outlined in this article.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XgHhCAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail