GP Authentication Override Cookie is not supported with SAML Auth Profile that only has SAML-based Group Attributes in the Allow List

GP cookie-based authentication is failing with "User not in allow list" when Allow List is checked within the SAML Auth Profile

GP SAML authentication working with the same SAML Auth Profile

GlobalProtect

SAML Authentication

SAML-based Group Attribute in Allow List

Authentication Override Cookie

SAML-based Group Attributes can be used in the Allow List of a SAML Authentication profile, as already discussed in the KB: Use SAML User Group Attribute in Allow List to authenticate a GP Portal user

The SAML-based Group attribute only comes within the SAML Assertion response and authd process evaluates it against the configured SAML-based Group attribute value. If it matches, the allow list check passes, and SAML Authentication with the SAML Auth profile succeeds.

However, when the Allow List ONLY has the SAML-based Group Attribute configured (that means, no AD-based group fetched from the AD Group Mapping is configured in the Allow List), and GP App uses Cookie for authentication, the Cookie Authentication allow list check will fail with "User not in allow list" with the SAML Auth profile because Cookie does not contain the group information. Also, authd does not store SAML-based Group attribute values from past SAML Assertions.

The behavior is expected; we can conclude that Cookie Authentication is not supported with a SAML Auth profile that ONLY has SAML-based Group Attributes in the Allow List.

Workaround:

1. Disable Cookie Authentication on the GP Portal/Gateway and allow the GP App to authenticate only with SAML Assertion OR
2. Remove the SAML-based Group Attribute from the Allow List