Embedded browser for SAML authentication does not pop up after cookie expiration

Embedded browser for SAML authentication does not pop up after cookie expiration

10178
Created On 12/20/22 07:20 AM - Last Modified 04/22/24 07:13 AM


Symptom


  • GlobalProtect connection to the gateway failed with cookie expiration as expected.
  • The embedded browser does not pop up for SAML authentication.
  • When the user clicks on Retry button on browser, authentication is not triggered.
  • The connection status is seen as 'In progress'.
  • Disconnecting and reconnecting the gateway manually resolves the issue.
  • Following logs can be seen in the PanGPS.log
Debug( 312): CPanSAMLView::OnDocumentComplete - saml auth failed, retries = 1 <<<<<<<<<<<<< !!!!
  
 

Environment


  • GlobalProtect App
  • Version 6.0.3 and 6.1.0
  • SAML Authentication

Cause


  • The embedded browser has its own browser cookie, which is not expired.
  • Once GlobalProtect authentication override cookie expires, embedded browser tries to use its own cookie to load the SAML authentication login page.
  • This causes authentication failure.

Resolution


  1. The issue is fixed under GPC-16271 in GlobalProtect app 6.0.6 and 6.1.1
  2. Upgrade to the above versions should resolve the issue.
Workaround:
Manually clean up the browser cookies on IE or Edge browser using  Internet options >general tab > click Delete button
Internet explorer properties

Additional Information


GlobalProtect App Release Notes
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kFkCCAU&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail