Azure SAML double windows to select account

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Azure SAML double windows to select account

L1 Bithead

Hello everyone,

 

We have configured a new set-up for GlobalProtect which use Auzre SAML authentication and Microsoft Authenticator
It's all working fine with the exception of this weird behavior:

 

- User connect to the portal with SAML authentication

- A window open for the user to select an AD account to use

- User select account

- New window open asking to ack the MS authenticator prompt, user accept.

- Authentication is successful

(So far so good)

- Then a second window asking to select an account appears

- User select the account and is logged in.

 

We want to get rid of that second windows but after scouring all the resources I could find, I can't figure out where this windows is coming from. Assuming it's the gateway.

 

As a test , I removed the authentication on the external gateway, but access is not working at all.
SAML is configured with Single sign-out.

SAML SAML.PNG
User is using GP 5.2.11-10

Palo is 9.1.11-h3

 

Portal is configured to generate a cookie for auth override.

Gateway is configured to accept the cookie.

Certificate to encrypt/decrypt on Portal and Gateway is the same.

Use Default Browser for SAML Authentication in the App config is set to NO

Portal SAML.PNG

Gateway SAML.PNG

 

Did anyone faced the same behavior and manage to have it fixed?
A ticket has been opened, and suggest to Validate Identity Provider Certificate in the SAML server profile. I don't see how it will solve the issue as the authentication is successful.

 

Best regards,
Max

1 accepted solution

Accepted Solutions

So,

 

We redid a battery of test today and found a work around.
1- When the portal and gateway are set to generate and accept cookie, the double prompt is happening.

 Happening as well if Portal is set to generate and Gateway to accept.

 

cookie gen portal.PNG


2- When the portal is set to only accept and the gateway to generate and accept. Two prompt prompt the first time, then after the cookie is generated by the gateway, it can be used by the portal for the authentication.

cookie alive.PNG

 

The client is not able to read the cookie generated by the portal. It's been generated, can see it in the folder C:\Users\%USERNAME%\AppData\Local\Palo Alto Networks\GlobalProtect but it can't be read.

 

(P5076-T10004)Debug(9092): 01/31/23 14:36:11:444 ----Portal Login starts----
(P5076-T10004)Debug(2284): 01/31/23 14:36:11:444 Failed to open file C:\Users\USER\AppData\Local\Palo Alto Networks\GlobalProtect\PanPUAC_xxxxxxxxxxxxxxxxxxxx.dat

 

This is a know bug by Palo and expected to be fixed in 10.2.4

I still have to try with GP client version 5.2.12 with Portal generating the cookie and the Gateway accepting it.

 

Work around for now is to set the lifetime of the cookie to a few days or a year (max value). In this case users will only have the two prompts for account selection the first time they connect or until the cookie is no longer valid.

Thank you all for your help.

 

Edit: We did remove the AD group from Portal, Gateway and Auth profile to no avail. It was the work around that Palo provided but didn't work in our case.

View solution in original post

9 REPLIES 9

L1 Bithead

To clarify the double windows, it's not coming from the GlobalProtect client.
It's a Windows window like this one

Windows SAML.PNG

Cyber Elite
Cyber Elite

Go to Monitor > Logs > GlobalProtect, filter out login events ( stage eq login ) and check "Auth Method" column.
If cookie works then Portal auth method should show SAML and gateway Cookie.

 

New cookie is generated only if old cookie is expired.

Try to change portal cookie lifetime to 1 minute as well.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L1 Bithead

Hello Raido,

 

Thanks for your answer.
Both Portal and Gateway shows "SAML" for auth method, so I assume the cookie is not used for the gateway authentication.

Portal and GW have the same Client authentication with the same authentication profile.
GP log SAML.PNG

 

I did try to remove the Client authentication on the Gateway but then the user was not able to connect at all.

 

Kind regards,

Max

Cyber Elite
Cyber Elite

As step 1 try newer GlobalProtect agent.

You are using 5.2.11

For example 5.2.12 had some GlobalProtect auth and SAML issues fixed.

Like

Raido_Rattameister_0-1674794186687.png

 

If newer agent don't fix it then try to enable cookie generation on gateway temporarily and set accept time a bit longer (like 5 mins).

Connect to Globalprotect.

Disconnect from GlobalProtect.

Connect to GlobalProtect again.

Was cookie used during second connection attempt if cookie was first generated by gateway itself?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L1 Bithead

Let me try that, I'll update the topic with result

L4 Transporter

Did you add both fqdn's (portal and gateway) to the SAML config (on Microsoft)?

L1 Bithead

Hello,

 

For the new version, It'll be installed tomorrow, user doesn't have admin right.

We tested the cookie generation and accept on the gateway to no avail. Still see both SAML on the auth method.

@JoergSchuetter , the FQND is used on the SAML config on Azure. That FQDN is resolving to the IP of the Portal and Gateway.

 

On the PAN GPS log, I see this entry in the ----Gateway Pre-login starts---- part:

(P5076-T16812)Debug(2284): 01/30/23 16:29:13:678 Failed to open file C:\Users\XXX\AppData\Local\Palo Alto Networks\GlobalProtect\PanPUAC_xxxxxxxxxxx.dat

 

That file is PanPUAC.dat file is the Portal authentication cookie, we checked the access right of the folder and it looks ok. The user has full control to the folder.

Kind regards,
Maxime

So,

 

We redid a battery of test today and found a work around.
1- When the portal and gateway are set to generate and accept cookie, the double prompt is happening.

 Happening as well if Portal is set to generate and Gateway to accept.

 

cookie gen portal.PNG


2- When the portal is set to only accept and the gateway to generate and accept. Two prompt prompt the first time, then after the cookie is generated by the gateway, it can be used by the portal for the authentication.

cookie alive.PNG

 

The client is not able to read the cookie generated by the portal. It's been generated, can see it in the folder C:\Users\%USERNAME%\AppData\Local\Palo Alto Networks\GlobalProtect but it can't be read.

 

(P5076-T10004)Debug(9092): 01/31/23 14:36:11:444 ----Portal Login starts----
(P5076-T10004)Debug(2284): 01/31/23 14:36:11:444 Failed to open file C:\Users\USER\AppData\Local\Palo Alto Networks\GlobalProtect\PanPUAC_xxxxxxxxxxxxxxxxxxxx.dat

 

This is a know bug by Palo and expected to be fixed in 10.2.4

I still have to try with GP client version 5.2.12 with Portal generating the cookie and the Gateway accepting it.

 

Work around for now is to set the lifetime of the cookie to a few days or a year (max value). In this case users will only have the two prompts for account selection the first time they connect or until the cookie is no longer valid.

Thank you all for your help.

 

Edit: We did remove the AD group from Portal, Gateway and Auth profile to no avail. It was the work around that Palo provided but didn't work in our case.

L1 Bithead

GP version 5.2.12 is the same behavior. Will retest after upgrade PANOS to 9.1.15-h1

  • 1 accepted solution
  • 3780 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!