Captive Portal Authentication fails with "User not in allow list" for SAML Authentication Profile

Captive Portal Authentication fails with "User not in allow list" for SAML Authentication Profile

8875
Created On 07/19/22 13:53 PM - Last Modified 04/22/24 07:45 AM


Symptom


  • Authentication will fail with User is not in Allow List
Screenshot showing the message user is not in allow list
  • Authd.log will show the below logs when authentication failed
pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:786): user "user1@sarad.com" is NOT in allow list of auth prof/vsys "SAML Okta-captive portal test/vsys1" (vsys in request "vsys1")

 
 

Environment


  • GlobalProtect/Captive Portal
  • SAML Authentication profile configured under Shared location
  • PAN-OS version 10.1.0 and above

Cause


  • Issue is seen when the authentication profile is configured as shared but the response is copied with the vsys value as vsys1. The vsys value is populated from the request instead of copying from get_saml_info

Resolution

Additional Information


Authentication Profile (paloaltonetworks.com)
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wl25CAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language