Javascript errors seen when using GlobalProtect embedded browser for SAML authentication.

• When using Internet Explorer (IE) for SAML Authentication, Javascript error may be seen.
• This article helps configure the settings to prevent the Javascript errors.

• Palo Alto Firewall
• PAN-OS 9.1 and above
• Globalprotect (GP)
• SAML Authentication

• GP embedded browser relies on Microsoft dlls to parse the web content and embedded browser works based on IE.
• Palo Alto Suggests using default browser instead of using Internet Explorer(IE).
• When the user is allowed to use only IE, below tips can help resolve Javascript error.

1. Enable “Allow scripting of Internet Explorer web browser control”:

• Internet Explorer > Internet options> Security Page -> Internet Zone -> “Allow scripting of Internet Explorer web browser control”, set to enable

        

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION

3. Check if PanGPA.exe registry entry is present. If not, add a DWORD (32-bit value),

• Name : PanGPA.exe
• Value data: 2af8
• Base: Hexadecimal

    

4. Once completed, restart the PanGPS service from Windows command prompt.

sc start/stop/restart PanGPS

1. On the Firewall GUI: Network > GlobalProtect  > Portals > (portal name) > Agent > (agent name) > App >  Use Default Browser for SAML Authentication > Yes.
2. Commit the changes.
3. Refer also: Pre-deploying The Default Browser on macOS and Windows.