Globalprotect users are failing to connect automatically, after portal is reachable unless manually clicked on "connect"

• From the GlobalProtect Logs, we can see that SSO is enabled and username is "ttHaiderSh"

16:549 SSO enable status is 1, user name is ttHaiderSh, domain name is .
...

562 Failed to get portal config from portal xyz.gpcloudservice.com.
562 Try to restore last portal config from file.
...
562 cannot restore last portal config from file C:\Users\tthaidersh\AppData\Local\Palo Alto Networks\GlobalProtect\PanPortalCfg_e34f92f86975492d4cef112ad14bfbb.dat.
562 portal status is Invalid portal.

• The "dat" file contains the username. The config restoration fails because it is trying to locate information in the wrong config (dat) file.

$ md5 -s xyz.gpcloudservice.com_ttHaiderSh
MD5 (" xyz.gpcloudservice.com_ttHaiderSh") = xxxxxxxxxxxxxxxx


$ md5 -s xyz.gpcloudservice.com_mm.Haider@kantar.com
MD5 (" xyz.gpcloudservice.com_mm.Haider@kantar.com") = yyyyyyyyyyyyyy

• The above hash value will be different from Samaccountname to UPN, (can test this on terminal/cmd)

• GlobalProtect (GP) APP
• SSO enabled
• SAML authentication

1. For disabling SSO settings go to Network > GlobalProtect > Portals > GlobalProtect_Portal > Agent > choose agent > App > Use Single Sign-on (Windows) > No
2. Once the SSO is disabled, The GlobalProtect should be able to restore the last portal config from .dat file as the username is same of GP credentials. 

• When a PC does not have network connectivity and the user logs into the system, GP will try to talk to the portal first (Connect-Method is user-Logon), which will fail.
• When it fails to talk to the portal, it should pick-up the cached configuration and initiate network discovery, which will keep trying to identify the network till the Network Reachability is restored.