Connect Before Logon is not working when using CAS as Authentication method

Connect Before Logon is not working when using CAS as Authentication method

1938
Created On 07/24/25 10:04 AM - Last Modified 11/26/25 16:10 PM


Symptom


  • GlobalProtect users receive a blank screen during CBL when using CAS SAML Authentication.
  • Nothing happens with "Click Here" after Authentication is complete. 

Environment

Cause


  • GP app can only use embedded browser for CBL.
  • CAS SAML required default browser, which is not possible with CBL.

Resolution


  1. CBL will work with CAS embedded by setting the cas-embedded-browser option to yes.
  2. Follow the steps below to enable the feature flag:
    1. Upgrade PAN-OS to use 11.2.x or greater version.
    2. Upgrade GP app to use 6.3.x or greater version.
    3. CAS embedded browser option needs to be enabled from firewall CLI to use CAS SAML with CBL embedded browser:
      > set global-protect embedded-browser-cas enable [nothing returned if feature flag is already enabled]
      > show global-protect embedded-browser-cas  [Verify the feature flag is enabled]

      NOTE: If it still does not work, loads Blank page, or gives script loading error, it might be due to the limitation of CBL using older webview

       
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000fxvrKAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language