Globalprotect clientless portal link persistence using SAML through cloud identity engine.

alexkalish — Sat, 25 Jun 2022 00:59:53 GMT

Hello,

Just wondering if someone can shed some light on link persistence when redirecting through Palo Alto cloud identity engine.

In our previous config which was Local user authentication based, an automatically generated link which would open a response page on a server within our AWS VPC could be clicked and it would take us to the local GP portal login page. Once the user authenticated, it would move on to the originally clicked link.

Original link which worked after authentication > "https://vpn.example.old/https/my.same.server/pause/eyJhbGciOiJFUzI1NiJ9.eyJpZCI6MjUsImVjIjo1LCJpYXQiOjE2NTYxMTQ3OTMsInN1YiI6IjIyMDYwNyIsImF1ZCI6Ii9wYXVzZSIsImV4cCI6MTY1NjcxOTU5Mn0.z0rThjKsfGnMbeJAtzLTAaHEdMRJtFzb2A0tKB35K40i5Midiv-lvqod-rpefC6oMDNiK6z6H-bqdpHYgwyG5w"

The new link (which is a new VM series firewall with a different address and utilizing cloud identity engine) >"https://vpn.example.new/https/my.same.server/pause/eyJhbGciOiJFUzI1NiJ9.eyJpZCI6MjUsImVjIjo1LCJpYXQiOjE2NTYxMTQ3OTMsInN1YiI6IjIyMDYwNyIsImF1ZCI6Ii9wYXVzZSIsImV4cCI6MTY1NjcxOTU5Mn0.z0rThjKsfGnMbeJAtzLTAaHEdMRJtFzb2A0tKB35K40i5Midiv-lvqod-rpefC6oMDNiK6z6H-bqdpHYgwyG5w"

The new link would redirect to cloud identity engine then Microsoft login page. After the user logs in, it goes straight to the Home page of global protect portal rather than the desired link. With local identification, after user authenticates it would go to the desired page.

Once authenticated the user can click on the same link again and it would work then.

topic Globalprotect clientless portal link persistence using SAML through cloud identity engine. in Next-Generation Firewall Discussions

Globalprotect clientless portal link persistence using SAML through cloud identity engine.