Help - Certificate pre-login globalprotect VPN, with SAML tunnel adoption

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Help - Certificate pre-login globalprotect VPN, with SAML tunnel adoption

L1 Bithead



We are working to create a global protect vpn connetion between our windows 10 devices and the PA FW ver. 8.0.1. 


The VPN tunnel needs to use a pre-login tunnel initially (authenticating via the machine cert) which when the user logs in re-authenticates the user using SAML (Azure via ADFS) and renames the existing VPN tunnel.


We have an existing ADFS / Azure SAML environment which is working for other 3rd party app connections.

Windows Client devices currently use globalprotect client version 4.1.1-14


Has anyone successfully completed pre-login passing over to SAML user login? Could you please share an anonymised config? The pre-login VPN is up but we are struggling to configure the 2nd part without having the VPN drop (rather than renamed). 


The Palo Alto known issues log suggests that Palo have this working, but there is no configuration example as to how they got there that we can reference to assist us.




L7 Applicator

Hi @darrencassano


Bad news for you ... this is not supported yet ...

Hi @Remo,


Thanks for the reply,


The way i read the Palo KB article GPC-3794 suggests that this is a current and supported config? Could you please tell me why you don't think this is supported?


I don't suppose you have any ideas on how to get to the same level of functionality with a currently supported solution?




Hi @darrencassano


GPC-3794 is still in the known issues list ( This unfortunately means it is not fixed yet.

So far I cannot tell you more than that, but your SE maybe has some more information.





Thanks @Remo,


Yes we knew there was a known issue, however, as yet we have been unable to get our configuration to the point where we encounter the known issue.. My request for help was hoping that someone may post / provide an example (anonymised) config for cert pre-logon & saml user logon to help us get our configuration moved forward.


I don't believe the KB issue prevents a connection, it suggests you just need to logon twice.  Our SE suggests that PA are hoping to resolve this in a new build of the GP client, potentially v5, but still a work in progress. 


thanks again!

Oh ... I missed the part that you are asking for a config example anyway ... even with the vpn drop between prelogon and user-logon.

I can try to help, but right now I don't have a SAML config up and running.


Do you already have something configured or are you searching help about how to begin?


PS: Ask you SE about GPv5 Beta access

Very interested in something like this.   Wondering if supported now.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!