GlobalProtect SAML Deployment Enhancements in PAN-OS 11.1.0 and later
962
Created On 10/08/25 17:17 PM - Last Modified 11/12/25 22:18 PM
Symptom
Receive a default browser prompt during GlobalProtect app authentication after upgrading to PAN-OS 11.1.x, despite the Agent App configuration for “Use Default Browser for SAML Authentication” being set to No
Environment
- Palo Alto Networks Firewall
- Globalprotect Portal
- SAML authentication
Cause
- If any Agent App configuration has “Use Default Browser for SAML Authentication” enabled, all Client Authentication entries for that portal will have “Use Default Browser” enabled after the upgrade.
- Customers with multiple Agent App configurations using different “Use Default Browser for SAML Authentication” settings (assuming SAML is in use) will have all configurations overwritten to use the default browser post-upgrade.
Example:
The screenshot below shows two Agent App configurations: config1 and config2. config1 has “Use Default Browser for SAML Authentication” set to No, while config2 has it set to Yes.
In this scenario, after upgrading to PAN-OS 11.1.0 or higher, all Client Authentication entries for that portal will have “Use Default Browser” enabled.
- The new configuration item will be removed if a downgrade is performed.
Resolution
- To disable this feature after the upgrade, Navigate to GlobalProtect Portal Configuration > Authentication > Client Authentication and uncheck “Use Default Browser.”
Commit the changes, and the system will revert to the default configuration defined under <client-config> for “Use Default Browser for SAML Authentication.”