https://live.paloaltonetworks.com/t5/general-topics/globalprotect-and-multiple-aad-tenants/m-p/545641#M111566 <P>Mine is set to "No".</P> <P>PAN-OS&nbsp;10.1.9-h3</P> <P>GlobalProtect App Version 6.0.5-30</P> Mon, 12 Jun 2023 16:34:50 GMT RobertShawver 2023-06-12T16:34:50Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-and-multiple-aad-tenants/m-p/545508#M111551 <P><SPAN>Hello -</SPAN></P> <P>&nbsp;</P> <P><SPAN>We've set up a GlobalProtect portal and gateway to connect third-party individuals to our VPN. We've configured it to use SAML for authentication, leveraging an Azure Active Directory Enterprise Application that we have configured per the Microsoft guide (</SPAN><A href="https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/palo-alto-networks-globalprotect-tutorial" target="_blank" rel="noopener">https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/palo-alto-networks-globalprotect-tutorial</A><SPAN>). The third-party user is expected to connect to our VPN portal, be redirected to the SAML logon page, and then utilize our company credentials to log onto our VPN.</SPAN><BR /><BR /><SPAN>The issue that we are running into is that these third-party users have their own AAD tenants and the logon prompt is attempting to use their tenant's logon information. Instead of prompting the user to enter their <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/296506">@Company</a>.com</SPAN><SPAN>&nbsp;account and password, it is automatically attempting to log in using their @</SPAN><A href="https://vendor.com/" target="_blank" rel="noopener">vendor.com</A><SPAN>&nbsp;account.</SPAN><BR /><BR /><SPAN>For web-based applications, we usually avoid this problem by opening up an incognito window and going through the logon process. However, GlobalProtect controls the browser pop-up and is using the default browser in non-incognito mode.</SPAN><BR /><BR /><SPAN>How can we either (a) get GlobalProtect to open the logon prompt using an incognito window or (b) prevent the SAML authentication prompt from automatically using the @</SPAN><A href="https://vendor.com/" target="_blank" rel="noopener">vendor.com</A><SPAN>&nbsp;account?</SPAN><BR /><BR /><SPAN>We have been using the workaround of having the vendor logout of their M365 on everything on their device, but this has been causing other issues and is not a viable workaround long-term.</SPAN><BR /><BR /><SPAN>Adding the @</SPAN><A href="https://vendor.com/" target="_blank" rel="noopener">vendor.com</A><SPAN>&nbsp;accounts as guests to our AAD tenant is not a viable process as these user's may only need one time access during a firefighter scenario, and adding the guest and then propagating groups will be too complicated. Likewise, whatever authentication mechanism we use must continue to support MFA via AAD.</SPAN></P> Fri, 09 Jun 2023 19:09:37 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-and-multiple-aad-tenants/m-p/545508#M111551 RobertShawver 2023-06-09T19:09:37Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-and-multiple-aad-tenants/m-p/545604#M111558 <P>Did you explicitly configure GP to launch the default browser? Try using the embedded one instead. In all my deployments, my users are being asked which of their accounts they want to use (Azure as IdP), I use the embedded browser&nbsp;</P> Mon, 12 Jun 2023 07:49:25 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-and-multiple-aad-tenants/m-p/545604#M111558 reaper 2023-06-12T07:49:25Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-and-multiple-aad-tenants/m-p/545638#M111564 <P>Thank you Sir, do you have instructions or can point me to instructions on how to do this? "<SPAN>Did you explicitly configure GP to launch the default browser?"</SPAN></P> Mon, 12 Jun 2023 16:07:57 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-and-multiple-aad-tenants/m-p/545638#M111564 RobertShawver 2023-06-12T16:07:57Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-and-multiple-aad-tenants/m-p/545640#M111565 <P>The configuration is within the Portal Agent section.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SteveCantwell_0-1686587211344.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50831i473ABFE6691204A8/image-size/medium?v=v2&amp;px=400" role="button" title="SteveCantwell_0-1686587211344.png" alt="SteveCantwell_0-1686587211344.png" /></span></P> <P>&nbsp;</P> Mon, 12 Jun 2023 16:27:00 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-and-multiple-aad-tenants/m-p/545640#M111565 S.Cantwell 2023-06-12T16:27:00Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-and-multiple-aad-tenants/m-p/545641#M111566 <P>Mine is set to "No".</P> <P>PAN-OS&nbsp;10.1.9-h3</P> <P>GlobalProtect App Version 6.0.5-30</P> Mon, 12 Jun 2023 16:34:50 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-and-multiple-aad-tenants/m-p/545641#M111566 RobertShawver 2023-06-12T16:34:50Z