Cloud Identity Engine for On-Premises Global Protect

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cloud Identity Engine for On-Premises Global Protect

L4 Transporter

Has anyone used the Cloud Identity Engine for authentication for an on-prem Global Protect portal/gateway?

I'm experimenting with the CIE. It works great for admin login to the GUI, but I'm trying to set it up as an auth source for GP. It is working just fine on the portal for web browser auth (i.e. to download the agent), but I'm getting authentication failures when I try to login w/ the agent itself. The browser will open, and redirect to Okta. However, after redirecting back to the firewall, I get a message saying "Authentication failed. Please click the button below to relaunch authentication." The retry button takes me back through a similar flow, and then I ultimately get a message that says "Authentication Failed. Please contact the administrator for further assistance. Error code: 0."


L0 Member

Hi OwenFuller,

Did you solve this problem?

Because I got the same alarm "Authentication Failed. Please contact the administrator for further assistance. Error code: 0."


We use GP and google idp.

L1 Bithead

I'm also getting this error with Azure, even though the connection is successful. When connecting with GP to our firewall, the first browser window that pops up with Azure MFA. I log in, then another browser pops up and displays the "Authentication Failed: please contact the administrator" message (at the URL https://[my-firewall]/SAML20/SP/ACS )

Clicking "Login Retry" causes it to open another browser window with the message "When you see the dialog on the browser, click Open GlobalProtect. If the dialog does not appear, click here to launch GlobalProtect." Then when I click to that link to launch it, it successfully connects.

On the firewall itself, there are no error logs and the Cloud Identity Engine logs all say Successful.


PAN-OS: 10.1.5-h2
GlobalProtect Agent: 6.0.1



I still have an active TAC case open. More troubleshooting on Monday.

Did you find a solution with TAC? Having the same identical issue...

Check out my Palo Alto blog!

Case still open. Last troubleshooting session was yesterday. Not much progress though, in my opinion.

I've made some tests in my lab, it looks like it's actually working on PAN-OS 10.2.2-h1 and not on 10.1.6...

Check out my Palo Alto blog!

Well that's good to know. Unfortunate, but good to know. I'll pass this along to TAC.

L0 Member

Any update on this? We're getting the same issue.

L1 Bithead

I was struggling to get this working both on-prem and with Prisma Access and was getting the same error message. Turns out you have to enable Use Default Browser for SAML in the App settings on the GP portal. Started working properly for me after that.

That's what they told me to do as well, but it's already enabled. Still broken. About to give up on this, and just close my TAC case.
  • 10 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!