topic FIDO2 support for GlobalProtect client in GlobalProtect Discussions

FIDO2 support for GlobalProtect client

Param_Upadhyay — Tue, 18 Jun 2024 19:26:07 GMT

FIDO2 Security cards during Entra ID SAML authentication does not work. The option to select a hardware "security key" during the Entra ID login flow is not shown. Only the built-in/embeded GlobalProtect web browser exhibits this issue.

The feature listing for GlobalProtect 6.2.3 says, "Starting with GlobalProtect 6.2.3, the embedded browser framework for SAML authentication has been upgraded to Microsoft Edge WebView2 (Windows) and WebKit (macOS). This provides a consistent experience between the embedded browser and the GlobalProtect client. WebView2 and WebKit are also compatible with FIDO2-based authentication methods. " https://docs.paloaltonetworks.com/globalprotect/6-2/globalprotect-app-release-notes/features-introduced-in-gp-app

We tried the workaround to use the default OS browser for authentication, but the integration is not very smooth so it won’t be a good solution for us. Even with GlobalProtect 6.2.3 FIDO2 is not shown as an option during login. we see the MSWebVIew2 process running during GlobalProtect SAML login.

Based on

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000g1I9CAI&lang=en_US

article date 2nd Apr 2024, the current PANOS versions do not support the FIDO2 authentication through GlobalProtect. Could someone please confirm this or give us some advise here. Thanks.

#FIDO2

Re: FIDO2 support for GlobalProtect client

Neubauer — Fri, 21 Jun 2024 06:35:04 GMT

Same here. GP 6.2.3 + embedded browser still no FIDO2 option. Default browser works as expected.

Re: FIDO2 support for GlobalProtect client

Param_Upadhyay — Mon, 22 Jul 2024 19:24:40 GMT

Can anyone please check and confirm if there has been a solution for this?

Re: FIDO2 support for GlobalProtect client

carias — Wed, 14 Aug 2024 14:57:52 GMT

We got the security keys to work in the embedded browser with version 6.2.3 under Windows. It's not working for us in MacOS.

Re: FIDO2 support for GlobalProtect client

UtkarshKumar — Mon, 26 Aug 2024 14:35:49 GMT

We are experiencing the same thing for 6.2.4, is there any BUG ID open for this issue?

Re: FIDO2 support for GlobalProtect client

Param_Upadhyay — Mon, 26 Aug 2024 14:36:07 GMT

Did you get FIDO2 working?

Re: FIDO2 support for GlobalProtect client

carias — Mon, 26 Aug 2024 19:50:47 GMT

Yes, FIDO2 (Yubikey). We get the same options for authentication on embedded browser as the system browser. With version 6.2.3 using the system browser we were getting a double window popping up, one that said auth failed and another auth successful. But that was a known issue they fixed in 6.2.4. In any case, we found the experience better with embedded browser so we're using that on 6.2.3. Both versions work with FIDO2 on Windows. We currently have a TSC case ongoing for the Mac FIDO2 support.

Re: FIDO2 support for GlobalProtect client

michael_hess — Thu, 30 Jan 2025 21:55:08 GMT

Has anyone seen this work yet? We have exclusively Mac clients, and our admins now need FIDO2 auth as a requirement for entra ID, which will force it on GP as well. Switching to default os browser is a no go as it would just confuse our users more.