https://live.paloaltonetworks.com/t5/general-topics/gp-with-saml-authentication-always-redirects-to-idp/m-p/1253353#M126360 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/24977">@Carracido</a>&nbsp;,</P> <P>&nbsp;</P> <P>Yes, I have seen that behavior.&nbsp; Although there are many documents which say that Authentication Override is an effective way to stop double <U>SAML</U> authentication prompts for the portal and the gateway, I have rarely seen it work.&nbsp; I no longer configure&nbsp;Authentication Override with SAML, ... AND I don't need to.&nbsp; As in your case, I can configure the IdP to achieve the same result.</P> <P>&nbsp;</P> <P>The reason, I believe, why it doesn't work is "<SPAN>that the default SAML IDP session cookie, also known as a token, is used for SAML authentication before&nbsp;the GlobalProtect Authentication Override cookies is used."</SPAN></P> <P><SPAN>&nbsp;&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NCxCAM&amp;lang=en_US%E2%80%A9" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NCxCAM&amp;lang=en_US%E2%80%A9</A></SPAN></P> <P>&nbsp;</P> <P>I guess the gateway <EM>has to check</EM> the IdP cookie against the IdP.&nbsp; So, the key is to configure the IdP cookie to achieve the desired results.&nbsp; For example, the default Entra ID cookie lifetime is too long.&nbsp; After logging in once, your users won't have to log in for a while.&nbsp; Most people would prefer more frequent MFA.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> <P>&nbsp;</P> Thu, 30 Apr 2026 17:27:58 GMT TomYoung 2026-04-30T17:27:58Z https://live.paloaltonetworks.com/t5/general-topics/gp-with-saml-authentication-always-redirects-to-idp/m-p/1253343#M126359 <P>Hi community!</P> <P>&nbsp;</P> <P>In our globalprotect configuration, with SAML authentication and cookies in both portal and gateway, we observe that the firewall will redirect to the idp always, regardless of using cookies for authentication. We can see in the GP logs the cookies are being used but in the auth.log we see the redirection from firewall to idp.</P> <P>The only difference is that when cookies are valid, the user is not asked to enter username and password and the authentication happens transparent to the user.</P> <P>&nbsp;</P> <P>In summary:</P> <P><SPAN>(*)How it should work the authentication:</SPAN><BR /><SPAN>-&gt; First login:</SPAN><BR /><SPAN>---&gt; User is redirected to IdP (browser opens) for user authentication</SPAN><BR /><SPAN>---&gt; Cookie is issued</SPAN><BR /><SPAN>-&gt; Subsequent connections:</SPAN><BR /><SPAN>---&gt; GP sends cookie</SPAN><BR /><SPAN>---&gt; Firewall validates/authenticates locally without redirection</SPAN></P> <P>&nbsp;</P> <P><SPAN>(*) what is the behavior in our firewall:</SPAN></P> <P><SPAN>-&gt; First login:<BR />---&gt; User is redirected to IdP (browser opens) for user authentication<BR />---&gt; Cookie is issued</SPAN></P> <P><SPAN>-&gt; Subsequent connections:</SPAN></P> <P><SPAN>--&gt; Firewall redirects to idp<BR />--&gt; IdP auto-authenticates without asking the user for authentication.</SPAN></P> <P>&nbsp;</P> <P>Tried config with Pan-OS <SPAN>11.2.10-h3 and GP 6.3.3-828</SPAN></P> <P>&nbsp;</P> <P>Is anyone having the same behavior?</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 30 Apr 2026 13:42:10 GMT https://live.paloaltonetworks.com/t5/general-topics/gp-with-saml-authentication-always-redirects-to-idp/m-p/1253343#M126359 Carracido 2026-04-30T13:42:10Z https://live.paloaltonetworks.com/t5/general-topics/gp-with-saml-authentication-always-redirects-to-idp/m-p/1253353#M126360 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/24977">@Carracido</a>&nbsp;,</P> <P>&nbsp;</P> <P>Yes, I have seen that behavior.&nbsp; Although there are many documents which say that Authentication Override is an effective way to stop double <U>SAML</U> authentication prompts for the portal and the gateway, I have rarely seen it work.&nbsp; I no longer configure&nbsp;Authentication Override with SAML, ... AND I don't need to.&nbsp; As in your case, I can configure the IdP to achieve the same result.</P> <P>&nbsp;</P> <P>The reason, I believe, why it doesn't work is "<SPAN>that the default SAML IDP session cookie, also known as a token, is used for SAML authentication before&nbsp;the GlobalProtect Authentication Override cookies is used."</SPAN></P> <P><SPAN>&nbsp;&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NCxCAM&amp;lang=en_US%E2%80%A9" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NCxCAM&amp;lang=en_US%E2%80%A9</A></SPAN></P> <P>&nbsp;</P> <P>I guess the gateway <EM>has to check</EM> the IdP cookie against the IdP.&nbsp; So, the key is to configure the IdP cookie to achieve the desired results.&nbsp; For example, the default Entra ID cookie lifetime is too long.&nbsp; After logging in once, your users won't have to log in for a while.&nbsp; Most people would prefer more frequent MFA.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> <P>&nbsp;</P> Thu, 30 Apr 2026 17:27:58 GMT https://live.paloaltonetworks.com/t5/general-topics/gp-with-saml-authentication-always-redirects-to-idp/m-p/1253353#M126360 TomYoung 2026-04-30T17:27:58Z