GP App's SAML Authentication; Embedded webview or Default Browser displays ERR_EMPTY_RESPONSE

GP App's SAML Authentication; Embedded webview or Default Browser displays ERR_EMPTY_RESPONSE

869
Created On 10/23/25 19:46 PM - Last Modified 10/23/25 19:56 PM


Symptom


Embedded webview or Default Browser displays ERR_EMPTY_RESPONSE
SAML Authentication fails for GP App connectivity to the GP Portal/Gateway

NOTE: In the default browser case, if the user manually refreshes the SAML Auth webpage, it might work

Environment


GP App
SAML Authentication
Embedded webview or Default Browser
GP Portal/Gateway firewall

 

Cause


How GP App SAML Auth flow works 

  1. GP App gets the SAML Request from the GP Portal/Gateway firewall
  2. With embedded browser:
    1. GP App opens TLS connections with the SAML IdP, sends the SAML Request to the IdP, and gets the SAML Assertion in response after the user authentication
    2. GP App submits the SAML Assertion to the GP Portal/Gateway via SAML ACS URL and gets a response 
  3. With default browser:
    1. GP App redirects the user to the default browser
    2. The default browser opens TLS connections with the SAML IdP, sends the SAML Request to the IdP, and gets the SAML Assertion in response after the user authentication
    3. The default browser submits the SAML Assertion to the GP Portal/Gateway via the SAML ACS URL and gets a response
    4. When the user clicks the "Click here" button on the successful SAML authentication page, a callback is sent to the GP App and it gets control back from the default browser

Note, there are two main types of TLS connection legs in the flow:

  1. Embedded/Default Browser <-> SAML IdP
  2. Embedded/Default Browser <-> GP Portal/Gateway firewall 

If any TLS connection on these legs fail to send an HTTP Request or to receive an HTTP Response (i.e., encrypted application data), the embedded webview or default browser will display ERR_EMPTY_RESPONSE

Several scenarios could cause ERR_EMPTY_RESPONSE:

  • Connectivity issues to the SAML IdP or GP Portal/Gateway firewall
  • Misconfigured browser settings or proxy
  • Browser cache files 
  • Browser extensions or add-ons block connections to SAML IdP or GP Portal/Gateway
  • Endpoint Security: System firewall, antivirus software, EDR can sometimes block your connection to a website

Resolution


Packet capture will show exactly what has been happening on the TLS connections

We often see that SAML authentication stops with ERR_EMPTY_RESPONSE in environments due to an endpoint security app blocking (not allowing) TLS connections or Application Data to domains used for SAML IdP or GP Portal/Gateway.

    Please make sure you whitelist GP App processes (PanGPA and PanGPS) and all the SAML auth relevant domains (i.e., SAML IdP domains, SAML IdP CDNs, GP Portal/Gateway FQDN/IP) in the endpoint security app 
    Other users also viewed:
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000TO9yKAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail