This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Cached credential issue when using SAML with Global Protect Client and MS Azure

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cached credential issue when using SAML with Global Protect Client and MS Azure

ddockter
L1 Bithead

‎10-26-2021 09:31 AM

We are using SAML with Global Protect Client and MS Azure and it works well for us, with one caveat.  We have a consultant who uses the Global Protect client to establish a VPN connection to their network.  When I have them attempt to use the Global Protect client to establish a VPN connection into our network (using an O365 account on our tenant), it is using the O365 account for his company (no prompt for credentials).  How do I get Global Protect to prompt for a different set of O365 credentials?  It seems the credentials are being cached somehow.  I've had them clear their browser cookies, but that didn't help.

1 person had this problem.
10 REPLIES 10

dwlord
L1 Bithead

‎10-26-2021 12:39 PM

Came here with the same/similar problem.  Using default browser authentication.  User johndoe@xyz.com  tries to login with credentials for our environment jdoe@contoso.com.  We have seen it prompt for credentials and authenticate properly for jdoe@contoso.com but the browser wants to pass through johndoe@xyz.com so it fails.  This seems to only affect contractors that are on a different domain.  Would love to be able to have globalprotect launch a "private" version of the default browser to limit this for certain users.

0 Likes Likes

ddockter
L1 Bithead

‎10-26-2021 12:43 PM

Exactly my issue as you described.  I'm really hoping someone has come up with a fix.  I did find the below but have not had a chance to test it yet to see if it will resolve this issue.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP33CAG

0 Likes Likes

dwlord
L1 Bithead
In response to ddockter

‎10-26-2021 12:51 PM

The contractor I was just working with was tech savvy enough to be able to switch default over to Chrome from Edge and that worked but I expect there will be other contractors that won't be able to do that.

 

One troubleshooting idea I had was to have them login to portal.office.com first with the alternate domain credentials first to see if the browser then did a better job of being choosier on which one it passed over.  I am going to try to create a lab environment for this issue to see if that helps.

 

I saw that KB but it didn't look like it would help but maybe I am wrong.

0 Likes Likes

dwlord
L1 Bithead
In response to dwlord

‎10-26-2021 02:29 PM

Okay, so I got a lab up and was able to reproduce it as if I were a contractor. The error message I get when logged in as user johndoe@xyz.com to local computer of domain xyz.com and trying to VPN as jdoe@contoso.com is:

 

Sorry, but we're having trouble signing you in.

AADSTS50105: The signed in user 'johndoe@xyz.com' is not assigned to a role for the application...

 

By logging into office.com with user jdoe@contoso.com, it passed through that credential and worked. Not ideal, but directing a user to login to office.com before connecting vpn isn't the worst workaround I have ever recommended...

0 Likes Likes

ddockter
L1 Bithead

‎10-27-2021 09:27 AM

We made the firewall change in this link and now get the O365 logon prompted on each connection attempt which is what we wanted.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP33CAG

(1)

dwlord
L1 Bithead
In response to ddockter

‎10-28-2021 07:13 AM

Glad it is working better for you!  Unfortunately, it doesn't seem to be helping us after I made the change here.  If the contractor is actively logged into office.com as domain xyz.com it will not prompt for alternate contoso.com user.

0 Likes Likes

HenryA
L0 Member
In response to dwlord

‎04-25-2022 09:30 AM

We have the same issue. Any solution to that?

jeremyw
L2 Linker

‎05-04-2022 07:47 PM

I also have the same issue, even after modifying the single sign out URL as suggested.

I believe the contractor is signing into the device with a Microsoft account, and the GlobalProtect SAML process gives no option to choose a different account.

0 Likes Likes

johnwilliams
L0 Member

‎01-11-2023 10:03 AM

Is there an update or resolution to this? We have several contractors that have not been able to use our VPN due to this issue. Currently running GP agent 5.2.10, and software 10.1.7 on the firewall. 

 

0 Likes Likes

jeremyw
L2 Linker
In response to johnwilliams

‎01-11-2023 12:55 PM

Check if the end user is using any other software which has been logged in using SAML authentication.

Also try changing the 'Use Default Browser for SAML Authentication' setting. Make sure you are on the latest GlobalProtect client version as well, as this setting did not apply correctly on some versions.

0 Likes Likes
  • 11362 Views
  • 10 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks