How to suppress web browser notification "Open GlobalProtect?" when authenticating with GlobalProtect via SAML
16808
Created On 11/25/22 14:06 PM - Last Modified 04/17/24 19:00 PM
Objective
- Web browsers like Google Chrome, Microsoft Edge and others trigger a notification after successful SAML authentication
- When the notification is presented, it requires the end user's manual attention to complete the GlobalProtect connection
- The article describes how to modify the Windows Registry to suppress the notification and to provide seamless SAML authentication user experience
Environment
- Palo Alto Firewalls
- Supported PAN-OS
- GlobalProtect portal and gateway with SAML authentication
- GlobalProtect app on Windows clients
Procedure
- Open the Windows registry (type "regedit" on the Windows command prompt)
- Go to : Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome
- Right-click on "Chrome" and create new "String Value" as follows :-
- Name: AutoLaunchProtocolsFromOrigins
- Value data: [{"protocol": "globalprotectcallback", "allowed_origins": ["sslvpn.complab.local”"]}] OR [{"protocol": "globalprotectcallback", "allowed_origins": [“sslvpn.complab.local”,“sslvpn-1.complab.local”]}]
Note: "sslvpn.complab.local" and "sslvpn-1.complab.local" are the GlobalProtect Portal/Gateway FQDNs used in our example. It should be replaced with proper GlobalProtect FQDN (that it also present on the notification generated by the web-browser). Wildcard can also be used with Value data: [{"protocol": "globalprotectcallback", "allowed_origins": ["*"]}]
- Restart Google Chrome web browser and confirm that the policy is successfully applied (open link chrome://policy)
- The same registry can be applied for Microsoft Egde web browser by going to: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge
- Restart Microsoft Edge web browser and confirm that the policy is successfully applied (open link edge://policy)
Additional Information
- Google Chrome expect users to click on click here after successful gateway authentication when SAML is enabled for both portal and gateway. This is a Chrome browser bug which is being tracked here. Hence, this works seamlessly with Microsoft Edge only
- For seamless user experience, it is recommended to enable authentication override cookie for GlobalProtect users
- Enable authentication override cookie settings for portal and gateway:
Note: When gateway has only Accept cookie for authentication override checked, upon cookie expiration, SAML authentication would be prompted for gateway. Users would have to perform refresh connection to authenticate to portal to generate a new authentication override cookie
Note: When gateway has both Generate cookie for authentication override and Accept cookie for authentication override checked, upon cookie expiration, SAML authentication would be prompted for gateway. After successful gateway authentication, a new authentication override cookie would be generated. Authentication Override Cookie lifetime can be set to a lower value, say 5 minutes, so that the subsequent portal and gateway connections present a single web browser tab.
- The notification appears only on the system's default browsers
- In that case, GlobalProtect Portal App's setting Use Default Browser for SAML Authentication is set to Yes
- In case of GlobalProtect embedded browser (Use Default Browser for SAML Authentication is set to No), the notification will not be presented