Connect before Logon SAML authentication get stuck during redirection to another sign-in page for MFA

Connect before Logon SAML authentication get stuck during redirection to another sign-in page for MFA

15959
Created On 02/09/22 22:47 PM - Last Modified 02/11/22 19:41 PM


Symptom


  • Connect before Logon SAML authentication get stuck on the stage when the authentication is being redirected to another sign-in page for MFA
screenshot for authentication redirect page
  • We can see the below logs under the GlobalProtect client dump level log
PanPlapProvider.log 
(P4960-T5364)Dump ( 269): 02/09/22 05:28:09:168 Failed to get attribute value 'TrustedIdpDomains' <<<<<<<<<<<<<<<<<<<<<<<<<<<<
(P4960-T5364)Debug(  71): 02/09/22 05:28:09:168 PanSAMLView: open url: https://login.microsoftonline.com/67b039ac-f578-42c6-9b5b-aa1b5bb0388f/saml2?SAMLRequest=jZFRa4MwFIX%2FiuRdE6NWDVVw7cMKHZPq9rCXE
(P4960-T5364)Debug( 337): 02/09/22 05:28:09:168 PanSAMLView::OnBeforeNavigate2:  https://login.microsoftonline.com/67b039ac-f578-42c6-9b5b-aa1b5bb0388f/saml2?SAMLRequest=jZFRa4MwFIX%2FiuRdE6NWDVVw7cMKHZPq9rCXE...
(P4960-T5364)Debug( 342): 02/09/22 05:28:10:376 PanSAMLView::OnNavigateComplete2: https://login.microsoftonline.com/67b039ac-f578-42c6-9b5b-aa1b5bb0388f/saml2?SAMLRequest=jZFRa4MwFIX%2FiuRdE6NWDVVw7cMKHZPq9rCXE...
(P4960-T5364)Debug( 108): 02/09/22 05:28:10:922 PanSAMLView: OnDocumentComplete, url: https://login.microsoftonline.com/67b039ac-f578-42c6-9b5b-aa1b5bb0388f/saml2?SAMLRequest=jZFRa4MwFIX%2FiuRdE6NWDVVw7cMKHZPq9rCXE...
(P4960-T5364)Debug( 193): 02/09/22 05:28:12:282 PanSamlDlg: display saml page to user
(P4960-T5364)Debug( 337): 02/09/22 05:28:34:804 PanSAMLView::OnBeforeNavigate2: Block https://adfs.xyz.com/adfs/ls/?client-request-id=be730489-b2ad-4335-84b0-9a295b0f5783&username=test%40abcd.com&wa=wsignin1.0..<<<<<<<<
 
 

Environment


  • GlobalProtect Application version 5.2.9/5.2.10
  • Connect Before Logon feature
  • SAML authentication with MFA

Cause


  • This is due to security enhancement made with the Connect Before Logon feature where the IDP page which navigated to an untrusted domain, the request will be blocked. This will prevent unknown risk from the cross-domain

Resolution


 
  1. In case, an IDP use more than one domain, such as one of login and another for MFA, we can add other domains to the below registry to allow those domains
  • Path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\CBL
  • Type: Reg_SZ
  • Value Name: TrustedIdpDomains
  • Value Data: adfs.xyz.com (The value is comma-separated for multiple domain names)
screenshot for registry setting
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNA4CAM&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language