Certificate prompt seen after successful SAML authentication

5829

Created On 07/28/22 20:56 PM - Last Modified 05/28/24 18:38 PM

Certificate Profile

SAML

Authentication

9.0

9.1

10.0

10.2

10.1

PAN-OS

Symptom

GlobalProtect Portal/Gateway configured with both SAML and certificate authentication.
When users are redirected from the IdP page (where SAML authentication has been performed successfully) to the Portal or Gateway to present the SAML Assertion to the Assertion Consumer Service (ACS) URL "https://<portal-or-gateway>/SAML20/SP/ACS", either of the behaviors can be observed:
- Receive a certificate confirmation prompt (single matching certificate).
- Receive a certificate selection prompt (with multiple matching certificates).

The Dataplane (DP) is terminating incoming TLS connections (such as the one for presenting Assertion via ACS page).
If the Certificate Profile is configured on the receiving IP address (due to Portal or Gateway configuration), DP will include the "Certificate Request" message within the TLS handshake causing the certificate prompt on the client side.
This is expected behavior and doesn't mean that the certificate will actually be checked later or that it is even needed. It is up to the Management Plane to enforce certificate validation/presence if required. This would be done in case the request is meant for GlobalProtect Portal or Gateway, but ACS requests are sent to authd which doesn't care if the client provided the certificate or not.
The Client can respond with an actual "Certificate" to a "Certificate Request" message or provide an "empty" "Certificate" field (0 length). Either way it doesn't matter for the ACS message (authd will not ask for the certificate).

Note: The downside is user experience, since it's not expected for the certificate prompt to appear after SAML authentication.

It is expected for the DP (terminating TLS connection) to ask for the certificate when receiving ACS (even though certificate will not be checked) if certificate profile is configured on the same IP address (for the portal/gateway).
To avoid the issue, configure relevant browser to auto-select the certificate or ignore the prompt for better user experience.

General authentication workflow with Certificate Profile + SAML authentication is:

GP client starts a connection with the Portal/Gateway.
During TLS handshake, client is asked to provide the certificate and it does so (usually without prompting the user at all, since we cache previously selected certificate in case there is more than one cert matching certificate request).
Then the client is moved/redirected to perform SAML authentication with IdP (Portal/Gateway waiting for the Assertion) in a default system browser or webview.
After successful IdP authentication, client is redirected back to Portal/Gateway address to provide assertion to ACS URL.
Browser/webview is reaching out to ACS page and during TLS handshake it is asked to provide the certificate (even though the same isn't needed on the MP side/authd).
Regardless if the client provides the certificate or not, authentication is successful (since we don't validate client certificate for the ACS request - it has been checked already prior to SAML authentication during initial Portal/Gateway TLS handshake).