topic Re: Global Protect Portal - Azure SAML Authentication in GlobalProtect Discussions

Global Protect Portal - Azure SAML Authentication

mkbecker21 — Wed, 11 May 2022 14:45:54 GMT

Users can't complete authentication to the Global Protect portal with Azure SAML auth. When I go to the portal address in a web browser it redirects me to an Office 365 login, I enter my credentials and MFA code, it sits on a login.microsoftonline.com URL loading and eventually fails with the this URLin the address bar, <global-protect-url>/SAML20/SP/ACS. Chrome returns an ERR_EMPTY_RESPONSE, Firefox returns a message saying, "The page you are trying to view cannot be shown because the authenticity of the received data could not be verified."

I followed this documentation for setting up the Azure SAML authentication: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE

The user authenticates successfully on the Azure side but the authentication never gets passed back to the firewall.

If I switch the authentication for the portal over to LDAP I can login. Computer with the Global Protect agent can't connect either but I switched to troubleshooting in the browser to eliminate the agent version being an issue.

Re: Global Protect Portal - Azure SAML Authentication

Marcin_Szy — Thu, 12 May 2022 13:57:13 GMT

Hi,

In my case, it was a network issue. Enabling Adjust MSS with default value on the interface hosting GlobalProtect Portal solved the problem.

Regards,

Re: Global Protect Portal - Azure SAML Authentication

mkbecker21 — Thu, 12 May 2022 14:41:32 GMT

This solved it, thank you. We had to enable this setting for our WAN interface a while back too. Do you have any idea why it would all of a sudden need to be enabled? Global Protect has been working for a few months now up until the other day.

Re: Global Protect Portal - Azure SAML Authentication

Marcin_Szy — Thu, 12 May 2022 14:53:50 GMT

I suppose that something has to change in the communication path which caused problems with TCP packets with too big payload (maybe some extra encapsulation).
In my case, the issue occurs on PA-VM Hyper-V, but I have PA-VM on VMWare, where SAML is working without any adjustments.

Re: Global Protect Portal - Azure SAML Authentication

mkbecker21 — Thu, 12 May 2022 14:59:26 GMT

Our firewall is a PA-VM on Hyper-V as well so that is interesting.

My thought as well, I have a support ticket open but haven't gotten response after 2 days. If they ever respond I'll see if they can confirm that or agree that is a likely explanation. If they give any helpful info I'll post back here for anyone having this issue in the future.

Re: Global Protect Portal - Azure SAML Authentication

Peri_Similien_SS — Thu, 29 Feb 2024 17:23:44 GMT

Give more detail on the fix, I am having the same issue but unable to follow your direction.