Why GlobalProtect Clientless VPN Portal show plaintext username and other SAML-related headers in the browser's Developer Tool
Question
Why are the SAML-related headers and attributes (e.g. saml-username) displayed in the browser's developer tool or SAML tracer on an endpoint when accessing the GlobalProtect Clientless VPN Portal, and is it a security vulnerability?
Environment
PAN-OS
GlobalProtect Portal (including Clientless VPN)
SAML Authentication
Web browser > Developer Tool or SAML Tracer
Answer
When a user authenticates to the GlobalProtect Portal (including Clientless VPN) using SAML authentication, the SAML Identity Provider (IdP) sends a SAML Assertion back to the PAN-OS firewall's Assertion Consumer Service (ACS) URL. Once the firewall (acting as the Service Provider) validates the assertion, it sends an ACS response back to the client that includes SAML headers and attributes (e.g. saml-username). The headers and attributes within the HTTP Response are used for GlobalProtect authentication and session management.
When a browser’s developer tool or SAML tracer is used to view the HTTP Request and Response, the browser may display the data in plaintext (e.g. saml-username: user1@example.org). Plaintext data appearing in browser developer tools is expected and standard for any application using HTTPS authentication, as it displays data before encryption and after decryption.
It is important to understand that the GlobalProtect Clientless VPN Portal is a reverse proxy, rewrites application content, and all the GlobalProtect connections from the client's browser to the Portal (including the SAML ACS) are encrypted with TLS; therefore, data in transit is fully secure and not exposed on the network/wire.
If GlobalProtect Portal or SAML authentication content is cached by the browser and saved on a system disk, it's the operating system's responsibility to secure the data at rest.
Additional Information
To prevent end-users from accessing the browser's developer tool and SAML-tracer add-ons/extensions, you can have your IT evaluate the browser's policy and block developer tools and installation of extensions/add-ons.