topic Re: Global Protect Google SAML Authentication Failure in GlobalProtect Discussions

Global Protect Google SAML Authentication Failure

BenjaminRaimondi — Wed, 17 Jul 2024 13:49:17 GMT

Hello Community,

We have been working on changing out our local LDAP authentication to google SAML for our globalprotect login on both our gateway and portal. Authentication for the gateway works as intended but the portal auth refuses to complete. A successful handshake between google and the paloalto is made via the certificate and I can login with any user, but the portal connection fails to complete and a google 403 error (app_not_configured_for_user) appears (attached a screenshot for reference). The service has already been turned on within the google SAML app webpage for all users.

The encoded SAML request and response all match up. ACS and Entity IDs match with no deviations (ie no misplaced uppercase letters).

If it's any hint, the Test SAML Login option within the Google Admin SAML app page brings me to PaloAltos login page and allows me to use my proper google account, however I am greeted with a Paloalto page that says Authentication Failed (attached screenshot for splash page).

TAC said everything looks fine on the firewall side of things. Google support has been contacted but so far they haven't been very useful.

Has anyone else experienced this issue? Any advice would be greatly appreciated.

Re: Global Protect Google SAML Authentication Failure

socteamperu — Thu, 25 Jul 2024 03:12:57 GMT

Hello, We have the same problem. Plase, i would appreciate it if could comment on whether managed to resolve the case.

Re: Global Protect Google SAML Authentication Failure

BenjaminRaimondi — Thu, 25 Jul 2024 12:58:27 GMT

Hello Socteamperu,

According to TAC my issue is on the google side of things. I am still working with Google to get this issue resolved. I will return the results when able.

Re: Global Protect Google SAML Authentication Failure

BenjaminRaimondi — Thu, 01 Aug 2024 18:15:57 GMT

Okay, after spending a lot of time between Google and PaloAlto I was finally able to resolve my issue. The problem I was running into was unique and may not be what you were experiencing.

3 factors in tandem created this error. First off, the GP client 6.2.2 does NOT work with SAML authentication through google. Upgrading to 6.2.3 helped resolve my issues. Secondly, I had to create a 2nd certificate for SAML IDP and reconfigure the Authentication profile with the new cert after marking it as it's own CA. Finally, some of my commits had failed and I hadn't known until searching through the logs via CLI. After restarting the firewall's manage service I was able to clear changes stuck in limbo and reapply some of the changes I made.

Again, my issue was pretty unique but I hope this helps you.