SAML Authentication failure with Error "AADSTS50105" when user login to GlobalProtect App
4657
Created On 11/27/23 19:53 PM - Last Modified 03/11/25 22:12 PM
Symptom
An error message is seen when the user tries to log in to GlobalProtect App using SAML Authentication.
AADSTS50105: Your administrator has configured the application Palo Alto Networks - GlobalProtect to block users unless they are specifically granted
('assigned') access to the application. The signed in user 'username' is blocked because they are not a direct member of a group with access,
nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application.
Environment
- Palo Alto Firewalls
- Supported PAN-OS versions
- GlobalProtect App
- SAML Identity Provider
Cause
The AADSTS50105 error may be attributed to issues on the Identity provider side, specifically related to the user's group membership and access configuration.
Resolution
- Add the user to the group that has access to the GlobalProtect app on the SAML Identity Provider
- This ensures that the user has the necessary permissions for successful authentication.
- Contact the Identity Provider for assistance in adding the user to the application.
Additional Information
On From the Palo Alto, one can check the following configuration to ensure the user is not blocked from the GP config:
- Check the authentication profile assigned for both the GlobalProtect Gateway and Portal on the Palo Alto firewall. Confirm that the user is included in the allow list.
Device > Authentication Profile > Advanced > Allow list - Check the Global Protect Portal configuration to check the user is allowed under the Agent config:
Network > GlobalProtect > Portals > Agent > Config Selection Criteria > User/User group - Check the GlobalProtect Gateway configuration to check the user is allowed under the Client settings config:
Network > GlobalProtect > Gateways > Agent > Client Settings > Config Selection Criteria >Source User