globalprotect authentication issues using SAML on MacOS

Reply
L0 Member

globalprotect authentication issues using SAML on MacOS

Looking for GP authentication troublehsooting tips or if anyone else is experiencing authentication issues using SAML on globalprotect (effects every single agent version newer than 4.1.1). Our issue seems to only effect macOS users, but my shop is 99% mac users, the windows users rarely connect to the VPN and never complain.

 

We upgraded to PAN OS 8.1.5 earlier this month - this issue existed prior to, and after, the upgrade. We are using SAML with okta and the portal config to offer okta to a user on any OS other than linux. (linux users are using LDAP auth that works nicely).

 

Issue:

A fresh install of the GP agent: user logs in via SSO, connects and everything works as expected all day. The next day the user logs on to start work and can't login. The issue seems to be authentication cookie related - the user will sign in via the expected SSO sign in portal (okta in this case), then the agent reports "Connecting..." forever. The system logs on the NGFW report an expired cookie and then authentication success - but the agent never connects. The PanGPA.log log from the is particularly unhelpful, there is no single error (that I have been able to identify so far) that shows up on devices experiencing this issue. The agent just keeps trying to connect over and over - periodically displaying a non-sso login prompt (ie: a login prompt the thing is not even configured to display to a macOS user).

 

The errors in the system log indicate an expired cookie, the timeframe around this issue coincides with the 24 hour setting we have for cookie authentication override. So I have experimented in disabling auth cookie overrides in both the portal and gateway. This has resulted in the agent reporting authentication failures , "portal cannot be found" or "invalid portal" type errors on the agent.

L7 Applicator

Re: globalprotect authentication issues using SAML on MacOS

@hcannon-do,

What is the firewall giving for the failure reason show log system eventid equal globalprotectportal-auth-fail and show log system eventid equal globalprotectgateway-auth-fail.  

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!