topic Re: GP -> SAML -> EntraID Windows users vs Mac user experience issues in Panorama Discussions

GP -> SAML -> EntraID Windows users vs Mac user experience issues

plupini — Fri, 10 May 2024 14:23:07 GMT

Got a weird one and I'm on Mac so short of pestering my colleagues reaching out to the greater community while I wait on support to attempt to triage.

GP client 6.2.3 - PAN 11.1.2

GP setup;

using default browser to support our yubikey users
using auth override cookies
- portal creates
- gateway accepts

Problem comes with a super annoying user experience issue on windows and end-users hate it.

Windows client: two tabs open in their browser when connecting. One says auth completed (yay) the other says auth failed (boo) - however users are connected fine. In the firewall monitor tab i see two outlier messages compared to our Mac users. An saml-out-of-band log and two logs that reflect the double browser. An auth success (fine great) and an auth failure with an empty username ( '').

Mac just works w/o issue. No dual tabs and neither of the two logs mentioned.

Anyone seen or experienced this? Were you able to resolve this?

Re: GP -> SAML -> EntraID Windows users vs Mac user experience issues

TomYoung — Tue, 14 May 2024 12:25:18 GMT

Hi @plupini ,

One thing that is different about Entra SAML is that it already uses authentication cookies. So, you do not need to configure Authentication Override on the NGFWs in order to avoid 2 MFA prompts like many other MFA configurations. I would clear all of those check boxes on the portal and gateway and see what the behavior looks like.

On a similar note, the default cookie lifetime for Entra is 90 days. I logged in once when we 1st set it up, and I didn't have to log in for days! We later changed the lifetime for the Entra GP MFA app to 1 hour.

Thanks,

Tom

Re: GP -> SAML -> EntraID Windows users vs Mac user experience issues

plupini — Tue, 14 May 2024 13:02:14 GMT

I'd be happy to try this change but what's odd is doesn't really explain why the experience changes simply from moving from embedded browser to the user's default browser. The embedded browser does not display this same behavior - neither in the logs or visibly to the end user.

It's also impacting Windows machines solely. Mac users have no issues with default browser.

I'm doing this in an enterprise environment without much of a testing gateway to pound on (although maybe I can get support to).

I'm likely going to be forced to roll back to embedded browser until support can confirm or deny this is a bug or something wrong with the configuration.

Prior to switching to SAML we were using LDAP+Radius for auth+mfa. Overrides were needed for Yubikeys so admittedly some carryover but I'm going off a knowledge based article (will dig up and link once i find it again)

Re: GP -> SAML -> EntraID Windows users vs Mac user experience issues

plupini — Tue, 14 May 2024 13:09:30 GMT

Step 2 : https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-new-features/new-features-released-in-gp-app/default-browser-for-saml-authentication

In order for the default system browser for SAML authentication to not open multiple tabs for each connection, we recommend that you configure an authentication override. For more information, see Cookie Authentication on the Portal or Gateway.

When in fact it does not seem to make difference on Windows. I'm wondering if a GP bug? Still dealing with tier1 support triaging questions sadly

Re: GP -> SAML -> EntraID Windows users vs Mac user experience issues

TomYoung — Tue, 14 May 2024 13:33:42 GMT

Hi @plupini ,

I currently use Entra SAML for GP. I do not have Authentication Override configured. I do not get 2 login prompts. I understand that for most MFA configurations you should configure Authentication Override in order to not get prompted twice. As I mentioned, because Entra SAML uses its own authentication cookies, configuring Authentication Override is not needed.

You didn't mention before that the embedded browser does not have the issue. Like you, I have seen issues with the default browser and GP. I would definitely switch to the embedded browser. I have also seen the browser issues go away with a GP upgrade.

The current recommended version of GP for 6.2 is 6.2.2. https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-p/258304 It's generally best to stay with the recommended versions. In this case, a downgrade may possibly help.

Thanks,

Tom

Re: GP -> SAML -> EntraID Windows users vs Mac user experience issues

plupini — Tue, 14 May 2024 13:47:32 GMT

Apologies for that missing bit of information!

We enabled default browser to support Yubikey as it seems the GP embedded is not compatible.

Appreciate the suggestions!

Re: GP -> SAML -> EntraID Windows users vs Mac user experience issues

TomYoung — Tue, 14 May 2024 16:17:25 GMT

Hi @plupini ,

Thank you! It is just a suggestion. Maybe it will help. It really does seem like a default browser issue as you say.

Thanks,

Tom