SAML With GlobalProtect Application Doesn't Prompt For Selection Of Second Factor Authentication

SAML With GlobalProtect Application Doesn't Prompt For Selection Of Second Factor Authentication

5223
Created On 03/06/20 18:22 PM - Last Modified 07/21/20 20:30 PM


Symptom
  • Users are prompted for second factor using SAML from a browser window, but not from the GlobalProtect agent.
  • User tries to connect GlobalProtect using GlobalProtect Agent application, it sees a SAML login page for secure authentication.
  • After providing login credentials user's must be prompted for selection of second factor authentication.
  • Example: receiving pass code via phone or email for second factor authentication.


Environment
  • Global Protect
  • Any current PAN-OS
  • Client device with GP Agent installed


Cause
  • The IDP's server login page does not count browsers rather than standard ones, based on their user agent string.
  • For GlobalProtect, browser's user-agent string is "Pan GlobalProtect" and "GlobalProtect Mac GP Client" which will be recognized by the IDP login page.


Resolution
Update the login page to take into account user agent (just search for "GlobalProtect" in the user-agent string.)

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000POxo&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments
Choose Language