https://live.paloaltonetworks.com/t5/globalprotect-discussions/pa-global-protect/m-p/1244096#M7189 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1175515515">@V.Tolstorozhikh</a>&nbsp;,</P> <P>&nbsp;</P> <P data-start="137" data-end="390">This sounds less like a GP settings misconfiguration and more like a SAML configuration issue to me. That said, I’d still start by verifying that the new portal is referencing the correct SAML IdP Server Profile tied to the new Azure app you configured.</P> <P data-start="137" data-end="390">&nbsp;</P> <P data-start="392" data-end="625">When you mention seeing successful connection attempts, I’m assuming that’s based on the system logs. If so, is the GlobalProtect client actually getting stuck after the login redirect without presenting an explicit error or failure?</P> <P data-start="392" data-end="625">&nbsp;</P> <P data-start="627" data-end="837">You also mentioned seeing “Authentication Failed” when launching the app from myapps.microsoft.com. In most cases, that behavior points back to the Azure enterprise app itself rather than GlobalProtect.</P> <P data-start="627" data-end="837">&nbsp;</P> <P data-start="839" data-end="1118">From the symptoms, it looks like the client is successfully redirecting to Entra ID for authentication (which would explain the “success” events), but the flow is breaking when Entra attempts to send the SAML response back to the portal, or the portal is rejecting the assertion.</P> <P data-start="839" data-end="1118">&nbsp;</P> <P data-start="839" data-end="1118">In that case, I’d double-check that the ACS&nbsp;and Entity ID&nbsp;configured on the Azure app exactly match what the portal is expecting (including things like :443 if applicable), as even small mismatches there can cause this behavior.</P> <P data-start="839" data-end="1118">&nbsp;</P> <P data-start="839" data-end="1118">As a final sanity check, I’d re-export and re-import the metadata, then open the XML and confirm the EntityID, ACS/Reply URL, and signing certificate all match what the portal expects.</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 18 Dec 2025 01:04:18 GMT JayGolf 2025-12-18T01:04:18Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/pa-global-protect/m-p/1244090#M7188 <P>I have 4 portals and 4 gateways (4 different PA fw/vm ) of a GlobalProtect. PA is integrated with azure (an azure app per each gateway).<BR />I added one more new portal and one more new subnet to the one of the existing gateways, a new dns a-record and a new azure app. <BR />ISSUE: Clients can't connect to this portal, it's getting stuck after connection attempt. There're "success" events on the azure log and PA log. Also, I get "Authentication Failed" error by using azure app from myapps.microsoft.com<BR /><BR /></P> Wed, 17 Dec 2025 22:48:59 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/pa-global-protect/m-p/1244090#M7188 V.Tolstorozhikh 2025-12-17T22:48:59Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/pa-global-protect/m-p/1244096#M7189 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1175515515">@V.Tolstorozhikh</a>&nbsp;,</P> <P>&nbsp;</P> <P data-start="137" data-end="390">This sounds less like a GP settings misconfiguration and more like a SAML configuration issue to me. That said, I’d still start by verifying that the new portal is referencing the correct SAML IdP Server Profile tied to the new Azure app you configured.</P> <P data-start="137" data-end="390">&nbsp;</P> <P data-start="392" data-end="625">When you mention seeing successful connection attempts, I’m assuming that’s based on the system logs. If so, is the GlobalProtect client actually getting stuck after the login redirect without presenting an explicit error or failure?</P> <P data-start="392" data-end="625">&nbsp;</P> <P data-start="627" data-end="837">You also mentioned seeing “Authentication Failed” when launching the app from myapps.microsoft.com. In most cases, that behavior points back to the Azure enterprise app itself rather than GlobalProtect.</P> <P data-start="627" data-end="837">&nbsp;</P> <P data-start="839" data-end="1118">From the symptoms, it looks like the client is successfully redirecting to Entra ID for authentication (which would explain the “success” events), but the flow is breaking when Entra attempts to send the SAML response back to the portal, or the portal is rejecting the assertion.</P> <P data-start="839" data-end="1118">&nbsp;</P> <P data-start="839" data-end="1118">In that case, I’d double-check that the ACS&nbsp;and Entity ID&nbsp;configured on the Azure app exactly match what the portal is expecting (including things like :443 if applicable), as even small mismatches there can cause this behavior.</P> <P data-start="839" data-end="1118">&nbsp;</P> <P data-start="839" data-end="1118">As a final sanity check, I’d re-export and re-import the metadata, then open the XML and confirm the EntityID, ACS/Reply URL, and signing certificate all match what the portal expects.</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 18 Dec 2025 01:04:18 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/pa-global-protect/m-p/1244096#M7189 JayGolf 2025-12-18T01:04:18Z