https://live.paloaltonetworks.com/t5/globalprotect-discussions/ios-user-logon-always-on-saml-is-not-working/m-p/519633#M3386 <P>SAML is only supported for iOS with On-Demand.</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/compatibility-matrix/globalprotect/what-features-does-globalprotect-support" target="_blank">What Features Does GlobalProtect Support? (paloaltonetworks.com)</A></P> Sun, 30 Oct 2022 20:23:14 GMT dmifsud 2022-10-30T20:23:14Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/ios-user-logon-always-on-saml-is-not-working/m-p/474189#M2600 <P><SPAN>&gt;Founf this in the release note: GPC-6663 </SPAN></P><P><SPAN>The GlobalProtect app for iOS does not support SAML authentication when you configure GlobalProtect with the User-logon (Always On) Connect Method (NetworkGlobalProtectPortals&lt;portal-config&gt;Agent&lt;agent-config&gt;App). This limitation is due to the Apple Network Extension framework, which blocks network connections from the GlobalProtect app (where users are authenticated to their organization’s SAML identity provider) until the VPN tunnel is created. #</SPAN><A href="https://docs.paloaltonetworks.com/globalprotect/4-1/globalprotect-app-release-notes/gp-app-release-information/limitations.html" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/globalprotect/4-1/globalprotect-app-release-notes/gp-app-release-information/limitations.html</A></P><P>&nbsp;</P><P>&gt;<SPAN>In the newer versions 5.1,5.2,5.3 and 6.0 I didn't see information that this issue got fixed, (since it's due to the Apple Network Extension framework, probably it can not be fixed on our side alone?).</SPAN></P><P>&nbsp;</P><P><SPAN>&gt;Work around found here in this article, please follow the resolution to configure On-demand as Connect Method for IOS devices. <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMfYCAW" target="_blank" rel="noopener">#https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMfYCAW</A></SPAN></P><P>&nbsp;</P><P><SPAN>&gt;Is there any solution to this?</SPAN></P> Fri, 18 Mar 2022 01:35:59 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/ios-user-logon-always-on-saml-is-not-working/m-p/474189#M2600 rxie 2022-03-18T01:35:59Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/ios-user-logon-always-on-saml-is-not-working/m-p/519591#M3385 <P>We're experiencing the same issue. Appreciate the insight. After applying your linked work around I'm unable to get the iOS agent config selection criteria to apply despite being having the iOS os specific profile above the any OS profile. Used no login banner in the iOS profile to distinguish between the 2 profiles. I still see the login banner and get the app notification "Always on mode is enabled. Please login to continue". Regardless submitted PA-TAC ticket and will post how we resolve.</P> Sat, 29 Oct 2022 01:55:12 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/ios-user-logon-always-on-saml-is-not-working/m-p/519591#M3385 Joseph.Johnson 2022-10-29T01:55:12Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/ios-user-logon-always-on-saml-is-not-working/m-p/519633#M3386 <P>SAML is only supported for iOS with On-Demand.</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/compatibility-matrix/globalprotect/what-features-does-globalprotect-support" target="_blank">What Features Does GlobalProtect Support? (paloaltonetworks.com)</A></P> Sun, 30 Oct 2022 20:23:14 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/ios-user-logon-always-on-saml-is-not-working/m-p/519633#M3386 dmifsud 2022-10-30T20:23:14Z