This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

GP with saml authentication always redirects to idp

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GP with saml authentication always redirects to idp

Carracido
L4 Transporter

‎04-30-2026 06:42 AM

Hi community!

 

In our globalprotect configuration, with SAML authentication and cookies in both portal and gateway, we observe that the firewall will redirect to the idp always, regardless of using cookies for authentication. We can see in the GP logs the cookies are being used but in the auth.log we see the redirection from firewall to idp.

The only difference is that when cookies are valid, the user is not asked to enter username and password and the authentication happens transparent to the user.

 

In summary:

(*)How it should work the authentication:
-> First login:
---> User is redirected to IdP (browser opens) for user authentication
---> Cookie is issued
-> Subsequent connections:
---> GP sends cookie
---> Firewall validates/authenticates locally without redirection

 

(*) what is the behavior in our firewall:

-> First login:
---> User is redirected to IdP (browser opens) for user authentication
---> Cookie is issued

-> Subsequent connections:

--> Firewall redirects to idp
--> IdP auto-authenticates without asking the user for authentication.

 

Tried config with Pan-OS 11.2.10-h3 and GP 6.3.3-828

 

Is anyone having the same behavior?

 

 

0 Likes Likes
1 REPLY 1

TomYoung
Cyber Elite

‎04-30-2026 10:27 AM

Hi @Carracido ,

 

Yes, I have seen that behavior.  Although there are many documents which say that Authentication Override is an effective way to stop double SAML authentication prompts for the portal and the gateway, I have rarely seen it work.  I no longer configure Authentication Override with SAML, ... AND I don't need to.  As in your case, I can configure the IdP to achieve the same result.

 

The reason, I believe, why it doesn't work is "that the default SAML IDP session cookie, also known as a token, is used for SAML authentication before the GlobalProtect Authentication Override cookies is used."

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NCxCAM&lang=en_US%E2%80%A...

 

I guess the gateway has to check the IdP cookie against the IdP.  So, the key is to configure the IdP cookie to achieve the desired results.  For example, the default Entra ID cookie lifetime is too long.  After logging in once, your users won't have to log in for a while.  Most people would prefer more frequent MFA.

 

Thanks,

 

Tom

 

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 200 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks