Embedded browser for SAML authentication does not pop up after cookie expiration
27058
Created On 12/20/22 07:20 AM - Last Modified 04/22/24 07:13 AM
Symptom
- GlobalProtect connection to the gateway failed with cookie expiration as expected.
- The embedded browser does not pop up for SAML authentication.
- When the user clicks on Retry button on browser, authentication is not triggered.
- The connection status is seen as 'In progress'.
- Disconnecting and reconnecting the gateway manually resolves the issue.
- Following logs can be seen in the PanGPS.log
Debug( 312): CPanSAMLView::OnDocumentComplete - saml auth failed, retries = 1 <<<<<<<<<<<<< !!!!
Environment
- GlobalProtect App
- Version 6.0.3 and 6.1.0
- SAML Authentication
Cause
- The embedded browser has its own browser cookie, which is not expired.
- Once GlobalProtect authentication override cookie expires, embedded browser tries to use its own cookie to load the SAML authentication login page.
- This causes authentication failure.
Resolution
- The issue is fixed under GPC-16271 in GlobalProtect app 6.0.6 and 6.1.1
- Upgrade to the above versions should resolve the issue.
Workaround:
Manually clean up the browser cookies on IE or Edge browser using Internet options >general tab > click Delete button
Additional Information
GlobalProtect App Release Notes