06-09-2023 12:09 PM
Hello -
We've set up a GlobalProtect portal and gateway to connect third-party individuals to our VPN. We've configured it to use SAML for authentication, leveraging an Azure Active Directory Enterprise Application that we have configured per the Microsoft guide (https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/palo-alto-networks-globalprotect-...). The third-party user is expected to connect to our VPN portal, be redirected to the SAML logon page, and then utilize our company credentials to log onto our VPN.
The issue that we are running into is that these third-party users have their own AAD tenants and the logon prompt is attempting to use their tenant's logon information. Instead of prompting the user to enter their @Company.com account and password, it is automatically attempting to log in using their @vendor.com account.
For web-based applications, we usually avoid this problem by opening up an incognito window and going through the logon process. However, GlobalProtect controls the browser pop-up and is using the default browser in non-incognito mode.
How can we either (a) get GlobalProtect to open the logon prompt using an incognito window or (b) prevent the SAML authentication prompt from automatically using the @vendor.com account?
We have been using the workaround of having the vendor logout of their M365 on everything on their device, but this has been causing other issues and is not a viable workaround long-term.
Adding the @vendor.com accounts as guests to our AAD tenant is not a viable process as these user's may only need one time access during a firefighter scenario, and adding the guest and then propagating groups will be too complicated. Likewise, whatever authentication mechanism we use must continue to support MFA via AAD.
06-12-2023 12:49 AM
Did you explicitly configure GP to launch the default browser? Try using the embedded one instead. In all my deployments, my users are being asked which of their accounts they want to use (Azure as IdP), I use the embedded browser
06-12-2023 09:07 AM
Thank you Sir, do you have instructions or can point me to instructions on how to do this? "Did you explicitly configure GP to launch the default browser?"
06-12-2023 09:27 AM
The configuration is within the Portal Agent section.
06-12-2023 09:31 AM - edited 06-12-2023 09:34 AM
Mine is set to "No".
PAN-OS 10.1.9-h3
GlobalProtect App Version 6.0.5-30
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
