GlobalProtect on Android does not connect with DUO SAML

GlobalProtect on Android does not connect with DUO SAML

3891
Created On 05/22/23 21:31 PM - Last Modified 10/18/24 02:32 AM


Symptom


  • GlobalProtect (GP) App on Android is configured with authentication method of SAML using DUO as Identity Provider.
  • The credentials are accepted and DUO auth prompt is successful.
  • GP App still does not connect. 

Environment


  • GlobalProtect (GP) App
  • Supported client versions on Android

Cause


  • With DUO  user gets a prompt to authenticate. This prompt redirects users to authenticate outside of the application also known as default browser.
  • When user finishes the authentication on the default browser, DUO displays Login Successful.
  • Since the GP APP has not yet connected to the Portal, it is still using the default settings.
  • The default settings use Embedded browser for SAML Authentication.
  • Since the successful authentication is done on the default browser and the GP application is configured with Embedded browser, the GP App cannot  read the successful message and will not connect.

Resolution


  1. Setup mdm solution to pre-deploy GP App with default browser settings.
  2. Now the GP APP is able to read the authentication success once Duo redirects user to the default browser.
    • This can be found in Dashboard > App Configuration Policies > Globalprotect Properties 
    • Set the value Use "Default browser" boolean to Yes. 
  3. Configure the DUO App to use password instead of Push.

Additional Information


Default Browser for SAML Authentication

Configure GlobalProtect App for Android
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kHvlCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language