topic Re: Unable to sign into GP client with Azure AD SSO in General Topics

Unable to sign into GP client with Azure AD SSO

Ben-Price — Fri, 03 Dec 2021 05:53:22 GMT

Hi All,

Trying to setup Azure AD SSO with Global Protect, but am receiving the below error. According, to the Microsoft documentation it means that the user is not assigned to the application in Azure, but I can confirm that the user is assigned correctly to the application. Is there anything else I can check?

Thanks in advance.

Re: Unable to sign into GP client with Azure AD SSO

Ben-Price — Tue, 07 Dec 2021 23:07:58 GMT

Message from the authd.log

2021-11-30 13:19:35.231 +1100 debug: _log_saml_respone(pan_auth_server.c:348): Sent PAN_AUTH_FAILURE SAML response:(authd_id: 6998778942614154583) (SAML err code "2" means SSO failed) (return username 'Test.User@company.com') (auth profile 'Azure-AD-SAML') (reply msg 'SAML single-sign-on failed') (NameID 'Test.User@company.com') (SessionIndex '_a4abc986-aa3c-4717-923c-39a4e7717d00') (Single Logout enabled? 'No')

Re: Unable to sign into GP client with Azure AD SSO

Ben-Price — Tue, 07 Dec 2021 23:08:48 GMT

@BPry @reaper Any ideas here?

Re: Unable to sign into GP client with Azure AD SSO

BPry — Wed, 08 Dec 2021 01:14:44 GMT

@Ben-Price,

From what you've posted, this isn't really a firewall issue. Something within your SSO configuration on the Microsoft side of things isn't configured/working properly. Off hand, the first thing that I would ask is just verifying that you aren't trying to use a nested group. Outside of that I would just open a support case with Microsoft since the error is on that side of things.

Re: Unable to sign into GP client with Azure AD SSO

Ben-Price — Wed, 08 Dec 2021 03:45:08 GMT

@BPry Thanks for the feedback. They have tested with a user in a group and a user directly assigned to the app. I have asked them to check Microsoft.