topic Re: Authentication Issue with Authentic ID and GlobalProtect Integration in GlobalProtect Discussions

Authentication Issue with Authentic ID and GlobalProtect Integration

hamza_d — Tue, 06 Aug 2024 15:20:19 GMT

Hello,

I have integrated Authentic ID with GlobalProtect as the Identity Provider (IDP), but the username and password fields are not appearing for authentication. Have you encountered a similar issue, or do you have any suggestions on how to resolve it?

Thanks in advance.

Re: Authentication Issue with Authentic ID and GlobalProtect Integration

aleksandar.astardzhiev — Tue, 06 Aug 2024 19:25:33 GMT

Hi @hamza_d ,

What version of GlobalProtect are you using?

When using SAML authentication, the username and password login form is provided by the IdP. The GlobalProtect just act as simple web browser that visualize the content provided by the IdP.

As described here GlobalProtect embedded browser was recently upgraded to use newer framework - https://docs.paloaltonetworks.com/globalprotect/6-2/globalprotect-app-release-notes/features-introduced-in-gp-app

I am wondering if the IdP is having issues with the framework used by the GlobalProtect.

As workaround you may try to switch to "default browser". This will tell GlobalProtect to use the web browser that is set as default for the OS.

Re: Authentication Issue with Authentic ID and GlobalProtect Integration

hamza_d — Wed, 07 Aug 2024 13:30:10 GMT

Hello @aleksandar.astardzhiev ,

What version of GlobalProtect are you using?

-->6.1.1-5

Re: Authentication Issue with Authentic ID and GlobalProtect Integration

hamza_d — Wed, 07 Aug 2024 15:30:27 GMT

Hi @aleksandar.astardzhiev ,

After restarting the GlobalProtect service on my Windows machine, GlobalProtect started redirecting to the default browser for authentication via IDP. However, I am now experiencing authentication failures, even though the IDP logs show successful authentication.

Thanks.

Re: Authentication Issue with Authentic ID and GlobalProtect Integration

aleksandar.astardzhiev — Fri, 09 Aug 2024 15:39:47 GMT

Hi @hamza_d ,

Remember that under the hood GlobalProtect is performing two authentication - first authenticate and connect to GP Portal then authenticate annd connect to GP Gateway. By default GP client will try to reuse the credentials you use for portal to authenticate you to the gateway. With SAML this is not possible.

Try search through the form there should be multiple similar questions, explaining that workaround would be to set GP Portal to create authentication cookie, valid for 1mins and set GP Gateway to accept authentication cookie. This way when user is connecting with GP client, he will be authenticated with SAML against the portal. Portal will give the client cookie, which it will use to authenticate to GP Gateway.

You should still keep the SAML authentication on the portal, in case GP client skip portal connection (when using the last known good cached config)