GlobalProtect and multiple AAD tenants

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect and multiple AAD tenants

L4 Transporter

Hello -

 

We've set up a GlobalProtect portal and gateway to connect third-party individuals to our VPN. We've configured it to use SAML for authentication, leveraging an Azure Active Directory Enterprise Application that we have configured per the Microsoft guide (https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/palo-alto-networks-globalprotect-...). The third-party user is expected to connect to our VPN portal, be redirected to the SAML logon page, and then utilize our company credentials to log onto our VPN.

The issue that we are running into is that these third-party users have their own AAD tenants and the logon prompt is attempting to use their tenant's logon information. Instead of prompting the user to enter their @Company.com account and password, it is automatically attempting to log in using their @vendor.com account.

For web-based applications, we usually avoid this problem by opening up an incognito window and going through the logon process. However, GlobalProtect controls the browser pop-up and is using the default browser in non-incognito mode.

How can we either (a) get GlobalProtect to open the logon prompt using an incognito window or (b) prevent the SAML authentication prompt from automatically using the @vendor.com account?

We have been using the workaround of having the vendor logout of their M365 on everything on their device, but this has been causing other issues and is not a viable workaround long-term.

Adding the @vendor.com accounts as guests to our AAD tenant is not a viable process as these user's may only need one time access during a firefighter scenario, and adding the guest and then propagating groups will be too complicated. Likewise, whatever authentication mechanism we use must continue to support MFA via AAD.

4 REPLIES 4

Cyber Elite
Cyber Elite

Did you explicitly configure GP to launch the default browser? Try using the embedded one instead. In all my deployments, my users are being asked which of their accounts they want to use (Azure as IdP), I use the embedded browser 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thank you Sir, do you have instructions or can point me to instructions on how to do this? "Did you explicitly configure GP to launch the default browser?"

Cyber Elite
Cyber Elite

The configuration is within the Portal Agent section.

 

SteveCantwell_0-1686587211344.png

 

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Mine is set to "No".

PAN-OS 10.1.9-h3

GlobalProtect App Version 6.0.5-30

  • 2473 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!