How to resolve double SAML authentication prompts while using GlobalProtect with CIE integration on PAN-OS 10.1 and below

This article discusses how to resolve the double authentication prompts while using Globalprotect and CIE for SAML authentication.

• Palo Alto Firewalls
• PAN-OS 10.1 or below
• GlobalProtect
• Cloud Identity Engine (CIE)
• SAML authentication

To resolve the issue you must generate/accept the authentication override cookies on both the Portal and Gateway by completing the following steps:

1.  Navigate to Networks > GlobalProtect > Portals > [Select Portal] > Agent > [Select Agent Config] > Authentication Override: Select both Generate and Accept.
2.  Navigate to Networks > GlobalProtect > Gateways > [Select Gateway] > Agent > Client Settings > [Select Client Config] > Authentication Override: Select both Generate and Accept.
3.  The initial connection may still prompt the user twice, however, this shouldn't occur once the authentication cookie is received by the GP host.

•  This issue occurs due to the Portal presenting the Gateway with an empty authentication override cookie which clears the existing non-empty cookie.
•  Please note that in PAN-OS 10.2 we've introduced a different daemon which doesn't experience the issue.