The GlobalProtect default browser fails to load if it's configured under the Portal's App tab but not under the Portal's Authentication tab

• When 'Use Default Browser for SAML Authentication' is enabled under the GlobalProtect agent configuration, the embedded browser is still used if the setting is not enabled under the Portal's authentication tab

• The default browser is used when 'Use Default Browser' is enabled under the Portal Client Authentication.

• Palo Alto Firewalls
• PANOS-11.1.1
• GlobalProtect App version 6.3.3

• The Portal's authentication tab settings take precedence over the App tab settings.
• This is because the application can't access or apply the App tab settings until the user has successfully completed authentication.

Ensure that the 'Use Default Browser' option is enabled under the Authentication profile in the GlobalProtect Portal configuration by completing the steps below.  These setting ensures that SAML authentication launches in the system’s default browser.

1.  Log in to the Palo Alto Networks Firewall GUI.
2.  Navigate to the 'Network' tab.
3.  Under 'GlobalProtect', click 'Portals'.
4. Select the Portal you have configured. 
5. Go to the 'Authentication' tab.
6. Under 'Client Authentication', select the configured profile.
7. Check the box for 'Use Default Browser'.
8. Commit the configuration changes.
9. Reconnect GlobalProtect to verify that authentication occurs using the system’s default browser.