GlobalProtect SAML authentication with Embedded Browser on macOS fails against Microsoft IdP with Conditional Access Policies requiring Device ID

GlobalProtect SAML authentication with Embedded Browser on macOS fails against Microsoft IdP with Conditional Access Policies requiring Device ID

311
Created On 06/09/25 08:21 AM - Last Modified 11/12/25 22:25 PM


Symptom


SAML authentication to Microsoft IdP fails with error code 53003 which indicates that a Conditional Access Policy is blocking access to the resource. Looking at the Microsoft authentication log details you can notice that the Device ID is not populated.

Environment


  • macOS
  • GlobalProtect version 6.2.3 and above
  • SAML Authentication with Embedded Browser
  • Microsoft Entra ID IdP with Conditional Access Policies

Cause


This is expected behavior as the Embedded browser framework for SAML authentication uses WKWebView on macOS and, due to product limitations, cannot collect device-specific identifiers.

Resolution


Use the System Default Browser for SAML authentication or, if the Embedded Browser must be used, modify Microsoft Conditional Policies to not require device signals that cannot be collected.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000fxfZKAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail