topic Re: Azure SAML double windows to select account in GlobalProtect Discussions

Azure SAML double windows to select account

MaximeMertens — Fri, 27 Jan 2023 02:36:26 GMT

Hello everyone,

We have configured a new set-up for GlobalProtect which use Auzre SAML authentication and Microsoft Authenticator
It's all working fine with the exception of this weird behavior:

- User connect to the portal with SAML authentication

- A window open for the user to select an AD account to use

- User select account

- New window open asking to ack the MS authenticator prompt, user accept.

- Authentication is successful

(So far so good)

- Then a second window asking to select an account appears

- User select the account and is logged in.

We want to get rid of that second windows but after scouring all the resources I could find, I can't figure out where this windows is coming from. Assuming it's the gateway.

As a test , I removed the authentication on the external gateway, but access is not working at all.
SAML is configured with Single sign-out.

User is using GP 5.2.11-10

Palo is 9.1.11-h3

Portal is configured to generate a cookie for auth override.

Gateway is configured to accept the cookie.

Certificate to encrypt/decrypt on Portal and Gateway is the same.

Use Default Browser for SAML Authentication in the App config is set to NO

Did anyone faced the same behavior and manage to have it fixed?
A ticket has been opened, and suggest to Validate Identity Provider Certificate in the SAML server profile. I don't see how it will solve the issue as the authentication is successful.

Best regards,
Max

Re: Azure SAML double windows to select account

MaximeMertens — Fri, 27 Jan 2023 02:42:14 GMT

To clarify the double windows, it's not coming from the GlobalProtect client.
It's a Windows window like this one

Re: Azure SAML double windows to select account

Raido_Rattameister — Fri, 27 Jan 2023 03:03:16 GMT

Go to Monitor > Logs > GlobalProtect, filter out login events ( stage eq login ) and check "Auth Method" column.
If cookie works then Portal auth method should show SAML and gateway Cookie.

New cookie is generated only if old cookie is expired.

Try to change portal cookie lifetime to 1 minute as well.

Re: Azure SAML double windows to select account

MaximeMertens — Fri, 27 Jan 2023 04:22:56 GMT

Hello Raido,

Thanks for your answer.
Both Portal and Gateway shows "SAML" for auth method, so I assume the cookie is not used for the gateway authentication.

Portal and GW have the same Client authentication with the same authentication profile.

I did try to remove the Client authentication on the Gateway but then the user was not able to connect at all.

Kind regards,

Max

Re: Azure SAML double windows to select account

Raido_Rattameister — Fri, 27 Jan 2023 04:37:07 GMT

As step 1 try newer GlobalProtect agent.

You are using 5.2.11

For example 5.2.12 had some GlobalProtect auth and SAML issues fixed.

If newer agent don't fix it then try to enable cookie generation on gateway temporarily and set accept time a bit longer (like 5 mins).

Connect to Globalprotect.

Disconnect from GlobalProtect.

Connect to GlobalProtect again.

Was cookie used during second connection attempt if cookie was first generated by gateway itself?

Re: Azure SAML double windows to select account

MaximeMertens — Fri, 27 Jan 2023 04:43:07 GMT

Let me try that, I'll update the topic with result

Re: Azure SAML double windows to select account

JoergSchuetter — Fri, 27 Jan 2023 07:17:23 GMT

Did you add both fqdn's (portal and gateway) to the SAML config (on Microsoft)?

Re: Azure SAML double windows to select account

MaximeMertens — Mon, 30 Jan 2023 07:45:09 GMT

Hello,

For the new version, It'll be installed tomorrow, user doesn't have admin right.

We tested the cookie generation and accept on the gateway to no avail. Still see both SAML on the auth method.

@JoergSchuetter , the FQND is used on the SAML config on Azure. That FQDN is resolving to the IP of the Portal and Gateway.

On the PAN GPS log, I see this entry in the ----Gateway Pre-login starts---- part:

(P5076-T16812)Debug(2284): 01/30/23 16:29:13:678 Failed to open file C:\Users\XXX\AppData\Local\Palo Alto Networks\GlobalProtect\PanPUAC_xxxxxxxxxxx.dat

That file is PanPUAC.dat file is the Portal authentication cookie, we checked the access right of the folder and it looks ok. The user has full control to the folder.

Kind regards,
Maxime

Re: Azure SAML double windows to select account

MaximeMertens — Tue, 31 Jan 2023 05:09:54 GMT

So,

We redid a battery of test today and found a work around.
1- When the portal and gateway are set to generate and accept cookie, the double prompt is happening.

Happening as well if Portal is set to generate and Gateway to accept.

2- When the portal is set to only accept and the gateway to generate and accept. Two prompt prompt the first time, then after the cookie is generated by the gateway, it can be used by the portal for the authentication.

The client is not able to read the cookie generated by the portal. It's been generated, can see it in the folder C:\Users\%USERNAME%\AppData\Local\Palo Alto Networks\GlobalProtect but it can't be read.

(P5076-T10004)Debug(9092): 01/31/23 14:36:11:444 ----Portal Login starts----
(P5076-T10004)Debug(2284): 01/31/23 14:36:11:444 Failed to open file C:\Users\USER\AppData\Local\Palo Alto Networks\GlobalProtect\PanPUAC_xxxxxxxxxxxxxxxxxxxx.dat

This is a know bug by Palo and expected to be fixed in 10.2.4

I still have to try with GP client version 5.2.12 with Portal generating the cookie and the Gateway accepting it.

Work around for now is to set the lifetime of the cookie to a few days or a year (max value). In this case users will only have the two prompts for account selection the first time they connect or until the cookie is no longer valid.

Thank you all for your help.

Edit: We did remove the AD group from Portal, Gateway and Auth profile to no avail. It was the work around that Palo provided but didn't work in our case.

Re: Azure SAML double windows to select account

MaximeMertens — Wed, 15 Feb 2023 03:28:27 GMT

GP version 5.2.12 is the same behavior. Will retest after upgrade PANOS to 9.1.15-h1