Hello everyone,
We have configured a new set-up for GlobalProtect which use Auzre SAML authentication and Microsoft Authenticator
It's all working fine with the exception of this weird behavior:
- User connect to the portal with SAML authentication
- A window open for the user to select an AD account to use
- User select account
- New window open asking to ack the MS authenticator prompt, user accept.
- Authentication is successful
(So far so good)
- Then a second window asking to select an account appears
- User select the account and is logged in.
We want to get rid of that second windows but after scouring all the resources I could find, I can't figure out where this windows is coming from. Assuming it's the gateway.
As a test , I removed the authentication on the external gateway, but access is not working at all.
SAML is configured with Single sign-out.
User is using GP 5.2.11-10
Palo is 9.1.11-h3
Portal is configured to generate a cookie for auth override.
Gateway is configured to accept the cookie.
Certificate to encrypt/decrypt on Portal and Gateway is the same.
Use Default Browser for SAML Authentication in the App config is set to NO
Did anyone faced the same behavior and manage to have it fixed?
A ticket has been opened, and suggest to Validate Identity Provider Certificate in the SAML server profile. I don't see how it will solve the issue as the authentication is successful.
Best regards,
Max
So,
We redid a battery of test today and found a work around.
1- When the portal and gateway are set to generate and accept cookie, the double prompt is happening.
Happening as well if Portal is set to generate and Gateway to accept.
2- When the portal is set to only accept and the gateway to generate and accept. Two prompt prompt the first time, then after the cookie is generated by the gateway, it can be used by the portal for the authentication.
The client is not able to read the cookie generated by the portal. It's been generated, can see it in the folder C:\Users\%USERNAME%\AppData\Local\Palo Alto Networks\GlobalProtect but it can't be read.
(P5076-T10004)Debug(9092): 01/31/23 14:36:11:444 ----Portal Login starts----
(P5076-T10004)Debug(2284): 01/31/23 14:36:11:444 Failed to open file C:\Users\USER\AppData\Local\Palo Alto Networks\GlobalProtect\PanPUAC_xxxxxxxxxxxxxxxxxxxx.dat
This is a know bug by Palo and expected to be fixed in 10.2.4
I still have to try with GP client version 5.2.12 with Portal generating the cookie and the Gateway accepting it.
Work around for now is to set the lifetime of the cookie to a few days or a year (max value). In this case users will only have the two prompts for account selection the first time they connect or until the cookie is no longer valid.
Thank you all for your help.
Edit: We did remove the AD group from Portal, Gateway and Auth profile to no avail. It was the work around that Palo provided but didn't work in our case.
To clarify the double windows, it's not coming from the GlobalProtect client.
It's a Windows window like this one
Hello Raido,
Thanks for your answer.
Both Portal and Gateway shows "SAML" for auth method, so I assume the cookie is not used for the gateway authentication.
Portal and GW have the same Client authentication with the same authentication profile.
I did try to remove the Client authentication on the Gateway but then the user was not able to connect at all.
Kind regards,
Max
As step 1 try newer GlobalProtect agent.
You are using 5.2.11
For example 5.2.12 had some GlobalProtect auth and SAML issues fixed.
Like
If newer agent don't fix it then try to enable cookie generation on gateway temporarily and set accept time a bit longer (like 5 mins).
Connect to Globalprotect.
Disconnect from GlobalProtect.
Connect to GlobalProtect again.
Was cookie used during second connection attempt if cookie was first generated by gateway itself?
So,
We redid a battery of test today and found a work around.
1- When the portal and gateway are set to generate and accept cookie, the double prompt is happening.
Happening as well if Portal is set to generate and Gateway to accept.
2- When the portal is set to only accept and the gateway to generate and accept. Two prompt prompt the first time, then after the cookie is generated by the gateway, it can be used by the portal for the authentication.
The client is not able to read the cookie generated by the portal. It's been generated, can see it in the folder C:\Users\%USERNAME%\AppData\Local\Palo Alto Networks\GlobalProtect but it can't be read.
(P5076-T10004)Debug(9092): 01/31/23 14:36:11:444 ----Portal Login starts----
(P5076-T10004)Debug(2284): 01/31/23 14:36:11:444 Failed to open file C:\Users\USER\AppData\Local\Palo Alto Networks\GlobalProtect\PanPUAC_xxxxxxxxxxxxxxxxxxxx.dat
This is a know bug by Palo and expected to be fixed in 10.2.4
I still have to try with GP client version 5.2.12 with Portal generating the cookie and the Gateway accepting it.
Work around for now is to set the lifetime of the cookie to a few days or a year (max value). In this case users will only have the two prompts for account selection the first time they connect or until the cookie is no longer valid.
Thank you all for your help.
Edit: We did remove the AD group from Portal, Gateway and Auth profile to no avail. It was the work around that Palo provided but didn't work in our case.
