topic Re: Global Protect Pre-Logon followed by SAML SSO in GlobalProtect Discussions

Global Protect Pre-Logon followed by SAML SSO

Namalw — Tue, 08 Sep 2020 06:30:00 GMT

Hi Guys,

I have implemented global protect with pre-logon (device certificate) followed by user logon using SAML (Azure AD as SAML IDP)

When global protect client initiate the user authentication below windows security pop up asking to confirm the certificate.

After confirming the certificate it connects fine and every time user reboot same pop up box comes up, if I replace the SAML auth with LDAP auth, I don't get any pops for certificate and everything works fine.

I have client certificate profile (internal Root and Intermediate CA) attached to client profile in each scenario ( LDAP auth vs SAML)

Also note that pre-logon works fine on each scenario and I can see before login to the machine globalprotect shows connected.

Has anyone come across this or similar issue?

Re: Global Protect Pre-Logon followed by SAML SSO

OwenFuller — Tue, 08 Sep 2020 21:17:31 GMT

I'm not sure if this applies in your case, but I saw something similar when a user had two client certificates which matched the certificate profile. We solved it by deleting one of the unneeded certificates.

Re: Global Protect Pre-Logon followed by SAML SSO

MP18 — Wed, 16 Sep 2020 04:55:04 GMT

@Namalw

I have seen this similar behaviour in our setup.

We also have GP pre logon with machine cert and then SAML Azure authentication.

That cert pop message is for the certificate to sign SAML messages to IDP and we select that in Authentication profile.

Regards

Re: Global Protect Pre-Logon followed by SAML SSO

Namalw — Wed, 16 Sep 2020 05:02:18 GMT

@MP18 Is there any workaround to fix it? This is not convenient for users

Re: Global Protect Pre-Logon followed by SAML SSO

MP18 — Fri, 18 Sep 2020 02:15:21 GMT

@Namalw

Do you have more than 1 certs issued by your Intermediate Certs.?

either way you need to have SSL/TLS profile cert trusted by either your Internal PKI or external certificate authority.

It needs same CA cert signed by the above one which your PC also trusts.

Regards

Re: Global Protect Pre-Logon followed by SAML SSO

rajjair — Thu, 24 Dec 2020 17:34:37 GMT

To stop the client certificate pop-up you need to make sure the VPN url is either in your local intranet zone or in your trusted sites with IE Options configured "don't prompt for client certificate selection when no certificates or only one certificate exists " which needs to be set to enable

For Chrome and Edge the policy AutoSelectCertificateForUrls

Microsoft Edge Browser Policy Documentation | Microsoft Docs

Chrome Enterprise Policy List & Management | Documentation (google.com)

Re: Global Protect Pre-Logon followed by SAML SSO

MP18 — Mon, 04 Jan 2021 22:12:25 GMT

@Namalw

Also you can push this registry setting with GP agent then cert pop up will not occur.

Check this link

Certificate Selection by OID (paloaltonetworks.com)

Regards

Re: Global Protect Pre-Logon followed by SAML SSO

BryanWillsMOL — Wed, 19 Jan 2022 15:35:51 GMT

Did you ever resolve this? Have messed around with different certificates but still getting the scenario you described. If you did solve it, any pointers would be useful.

Re: Global Protect Pre-Logon followed by SAML SSO

chmotley — Thu, 04 Apr 2024 16:25:16 GMT

One additional thing to add here is a clarifying question and some details about how to work around one of the scenarios:

-Are you looking to use user certificates in any way/shape form?

If not, one thing that's been suggested to use separate intermediate CAs for issuing user and machine certificates. When configuring the certificate profile, only configure the intermediate CA that signed the machine certificates and then the user certs won't match and therefore will keep the prompts suppressed. Testing currently in progress for this. Will report back