Cannot Access Global Protect Portal

H.Thiam — Tue, 09 Dec 2025 20:31:29 GMT

Good Morning ,

I am currently working on implementing Global Protect with Duo SSO integration for user authentication . Although all the following configuration elements appear to be in place I am getting the following error message when attempting to access the portal . Can you please advise what may be going wrong her e?

Thank you in advance

Re: Cannot Access Global Protect Portal

S.Cantwell — Wed, 17 Dec 2025 20:27:21 GMT

Most common confirmed causes for this exact behavior

1. Assertion Consumer Service (ACS) URL mismatch

This is the #1 cause of this error with GlobalProtect + Duo.

Facts:

Duo SSO strictly validates the ACS URL in the SAML request
GlobalProtect portal and gateway have different ACS URLs
If the ACS URL configured in Duo does not exactly match what PAN-OS sends, Duo rejects the request

For GlobalProtect Portal, the ACS URL must be:

This must match character-for-character in:

Duo SSO Application → Service Provider → ACS URL
PAN-OS Authentication Profile → SAML Identity Provider

Palo Alto explicitly documents that any mismatch causes authentication failure before assertion is issued.

2. Entity ID (Issuer) mismatch

Duo validates the SAML Issuer / Entity ID.

For GlobalProtect:

The Entity ID is defined in PAN-OS under the SAML IdP profile
Duo must be configured with the exact same value

If the Entity ID differs (even by trailing slash), Duo will show this error page.

This is confirmed in Duo SSO SAML troubleshooting documentation.

3. Incorrect certificate used for SAML signing

Confirmed behavior:

GlobalProtect signs SAML requests
Duo requires the signing certificate uploaded in the Duo SSO app
If PAN-OS uses a different certificate than the one Duo has, the request is rejected

Common mistake:

Admin uploads the portal SSL certificate instead of the SAML signing certificate
Or rotates the cert on PAN-OS but does not update Duo

Palo Alto documentation explicitly states the SAML signing certificate must match the IdP configuration.

4. Username / NameID format mismatch

Duo SSO requires:

A valid NameID
In a format it expects (usually emailAddress or unspecified)

If PAN-OS sends:

DOMAIN\username
while Duo expects user@domain

Duo will fail the transaction and display this page.

Duo documents this exact failure mode for SAML apps.

Re: Cannot Access Global Protect Portal

H.Thiam — Wed, 17 Dec 2025 21:22:25 GMT

This is now resolved . Redeploying the Global Protect App in Duo application appears to have done the trick. Thank you

topic Re: Cannot Access Global Protect Portal in Next-Generation Firewall Discussions

Cannot Access Global Protect Portal

Re: Cannot Access Global Protect Portal

Most common confirmed causes for this exact behavior

1. Assertion Consumer Service (ACS) URL mismatch

2. Entity ID (Issuer) mismatch

3. Incorrect certificate used for SAML signing

4. Username / NameID format mismatch

Re: Cannot Access Global Protect Portal