Authentication Issue with Authentic ID and GlobalProtect Integration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Authentication Issue with Authentic ID and GlobalProtect Integration

L1 Bithead

Hello,

I have integrated Authentic ID with GlobalProtect as the Identity Provider (IDP), but the username and password fields are not appearing for authentication. Have you encountered a similar issue, or do you have any suggestions on how to resolve it?

hamza_d_1-1722957486264.png


Thanks in advance.

4 REPLIES 4

Hi @hamza_d ,

 

What version of GlobalProtect are you using?

When using SAML authentication, the username and password login form is provided by the IdP. The GlobalProtect just act as simple web browser that visualize the content provided by the IdP.

 

As described here GlobalProtect embedded browser was recently upgraded to use newer framework - https://docs.paloaltonetworks.com/globalprotect/6-2/globalprotect-app-release-notes/features-introdu...

 

I am wondering if the IdP is having issues with the framework used by the GlobalProtect.

 

As workaround you may try to switch to "default browser". This will tell GlobalProtect to use the web browser that is set as default for the OS.

Hello @aleksandar.astardzhiev ,

What version of GlobalProtect are you using?

-->6.1.1-5

L1 Bithead

Hi @aleksandar.astardzhiev ,

After restarting the GlobalProtect service on my Windows machine, GlobalProtect started redirecting to the default browser for authentication via IDP. However, I am now experiencing authentication failures, even though the IDP logs show successful authentication.

Thanks.

Hi @hamza_d ,

Remember that under the hood GlobalProtect is performing two authentication - first authenticate and connect to GP Portal then authenticate annd connect to GP Gateway. By default GP client will try to reuse the credentials you use for portal to authenticate you to the gateway. With SAML this is not possible.

Try search through the form there should be multiple similar questions, explaining that workaround would be to set GP Portal to create authentication cookie, valid for 1mins and set GP Gateway to accept authentication cookie. This way when user is connecting with GP client, he will be authenticated with SAML against the portal. Portal will give the client cookie, which it will use to authenticate to GP Gateway.

 

You should still keep the SAML authentication on the portal, in case GP client skip portal connection (when using the last known good cached config)

  • 649 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!