Does the SAML URL need to be exempted in the enforcer setting when GP uses webview2?
2904
Created On 07/17/24 08:55 AM - Last Modified 06/27/25 19:48 PM
Question
Does SAML URL to be exempted in enforcer setting when GP uses webview2?
Environment
- GlobalProtect (GP) Portal
- GlobalProtect Enforcer
- Embedded browser Webview2
- SAML authentication
Answer
- For Webview2, There is no need to configure exception in the enforcer setting for GP to reach SAML URL.
- There is a PanGPA message/command where it sends webview2-pid to PanGPS to PanGPS/Enforcer to set the allow exception.
- Enforcer exceptions is only required when using the default browser.
Additional Information
1. PanGPA checks if Enforcer is enabled before triggering embedded browser (webview2) SAML dialog.
2. If Enforcer is set/enabled, PanGPA signals PanGPS to exclude webview2 pid from enforcer.
Debug( 331): Enforcer check: HandleSamlModel m_bEnforceGP 1 Webview2Installed 1
Debug( 643): Command = <request><type>webview2-pid</type><add>1</add></request>
3. PanGPS adds webview2 pid to whitelisted apps and informs back PanGPA.
Debug(4371): Enforcer,start adding webview2 app to white list
Debug(4391): Enforcer,Allow App Temp: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
Debug(4409): Enforcer,finished adding webview2 app to white list
Debug(2333): Send response to client for request webview-enforcer-exception-set
4. PanGPA receives the response.
Debug( 305): message type from the service = webview-enforcer-exception-set
Debug( 409): Receive gps message with type webview-enforcer-exception-set.