06-23-2022 10:52 AM - edited 06-23-2022 12:05 PM
Has anyone used the Cloud Identity Engine for authentication for an on-prem Global Protect portal/gateway?
I'm experimenting with the CIE. It works great for admin login to the GUI, but I'm trying to set it up as an auth source for GP. It is working just fine on the portal for web browser auth (i.e. to download the agent), but I'm getting authentication failures when I try to login w/ the agent itself. The browser will open, and redirect to Okta. However, after redirecting back to the firewall, I get a message saying "Authentication failed. Please click the button below to relaunch authentication." The retry button takes me back through a similar flow, and then I ultimately get a message that says "Authentication Failed. Please contact the administrator for further assistance. Error code: 0."
07-11-2022 10:34 AM
Hi OwenFuller,
Did you solve this problem?
Because I got the same alarm "Authentication Failed. Please contact the administrator for further assistance. Error code: 0."
We use GP and google idp.
07-21-2022 01:26 PM - edited 07-21-2022 01:29 PM
I'm also getting this error with Azure, even though the connection is successful. When connecting with GP to our firewall, the first browser window that pops up with Azure MFA. I log in, then another browser pops up and displays the "Authentication Failed: please contact the administrator" message (at the URL https://[my-firewall]/SAML20/SP/ACS )
Clicking "Login Retry" causes it to open another browser window with the message "When you see the dialog on the browser, click Open GlobalProtect. If the dialog does not appear, click here to launch GlobalProtect." Then when I click to that link to launch it, it successfully connects.
On the firewall itself, there are no error logs and the Cloud Identity Engine logs all say Successful.
PAN-OS: 10.1.5-h2
GlobalProtect Agent: 6.0.1
07-22-2022 12:41 PM
I still have an active TAC case open. More troubleshooting on Monday.
07-27-2022 07:51 AM
Did you find a solution with TAC? Having the same identical issue...
07-27-2022 10:32 AM
Case still open. Last troubleshooting session was yesterday. Not much progress though, in my opinion.
07-28-2022 09:51 AM
I've made some tests in my lab, it looks like it's actually working on PAN-OS 10.2.2-h1 and not on 10.1.6...
07-29-2022 08:10 AM
Well that's good to know. Unfortunate, but good to know. I'll pass this along to TAC.
08-30-2022 12:29 AM
Any update on this? We're getting the same issue.
09-06-2022 04:06 PM
I was struggling to get this working both on-prem and with Prisma Access and was getting the same error message. Turns out you have to enable Use Default Browser for SAML in the App settings on the GP portal. Started working properly for me after that.
09-07-2022 07:11 AM
09-05-2024 02:02 PM
Owen, were you finally able to make this work? We have the same issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
