Azure SAML double windows to select account

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure SAML double windows to select account

L1 Bithead

Hello everyone,


We have configured a new set-up for GlobalProtect which use Auzre SAML authentication and Microsoft Authenticator
It's all working fine with the exception of this weird behavior:


- User connect to the portal with SAML authentication

- A window open for the user to select an AD account to use

- User select account

- New window open asking to ack the MS authenticator prompt, user accept.

- Authentication is successful

(So far so good)

- Then a second window asking to select an account appears

- User select the account and is logged in.


We want to get rid of that second windows but after scouring all the resources I could find, I can't figure out where this windows is coming from. Assuming it's the gateway.


As a test , I removed the authentication on the external gateway, but access is not working at all.
SAML is configured with Single sign-out.

User is using GP 5.2.11-10

Palo is 9.1.11-h3


Portal is configured to generate a cookie for auth override.

Gateway is configured to accept the cookie.

Certificate to encrypt/decrypt on Portal and Gateway is the same.

Use Default Browser for SAML Authentication in the App config is set to NO


Gateway SAML.PNG


Did anyone faced the same behavior and manage to have it fixed?
A ticket has been opened, and suggest to Validate Identity Provider Certificate in the SAML server profile. I don't see how it will solve the issue as the authentication is successful.


Best regards,


Accepted Solutions



We redid a battery of test today and found a work around.
1- When the portal and gateway are set to generate and accept cookie, the double prompt is happening.

 Happening as well if Portal is set to generate and Gateway to accept.


cookie gen portal.PNG

2- When the portal is set to only accept and the gateway to generate and accept. Two prompt prompt the first time, then after the cookie is generated by the gateway, it can be used by the portal for the authentication.

cookie alive.PNG


The client is not able to read the cookie generated by the portal. It's been generated, can see it in the folder C:\Users\%USERNAME%\AppData\Local\Palo Alto Networks\GlobalProtect but it can't be read.


(P5076-T10004)Debug(9092): 01/31/23 14:36:11:444 ----Portal Login starts----
(P5076-T10004)Debug(2284): 01/31/23 14:36:11:444 Failed to open file C:\Users\USER\AppData\Local\Palo Alto Networks\GlobalProtect\PanPUAC_xxxxxxxxxxxxxxxxxxxx.dat


This is a know bug by Palo and expected to be fixed in 10.2.4

I still have to try with GP client version 5.2.12 with Portal generating the cookie and the Gateway accepting it.


Work around for now is to set the lifetime of the cookie to a few days or a year (max value). In this case users will only have the two prompts for account selection the first time they connect or until the cookie is no longer valid.

Thank you all for your help.


Edit: We did remove the AD group from Portal, Gateway and Auth profile to no avail. It was the work around that Palo provided but didn't work in our case.

View solution in original post


L1 Bithead

To clarify the double windows, it's not coming from the GlobalProtect client.
It's a Windows window like this one

Windows SAML.PNG

L7 Applicator

Go to Monitor > Logs > GlobalProtect, filter out login events ( stage eq login ) and check "Auth Method" column.
If cookie works then Portal auth method should show SAML and gateway Cookie.


New cookie is generated only if old cookie is expired.

Try to change portal cookie lifetime to 1 minute as well.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L1 Bithead

Hello Raido,


Thanks for your answer.
Both Portal and Gateway shows "SAML" for auth method, so I assume the cookie is not used for the gateway authentication.

Portal and GW have the same Client authentication with the same authentication profile.


I did try to remove the Client authentication on the Gateway but then the user was not able to connect at all.


Kind regards,


L7 Applicator

As step 1 try newer GlobalProtect agent.

You are using 5.2.11

For example 5.2.12 had some GlobalProtect auth and SAML issues fixed.




If newer agent don't fix it then try to enable cookie generation on gateway temporarily and set accept time a bit longer (like 5 mins).

Connect to Globalprotect.

Disconnect from GlobalProtect.

Connect to GlobalProtect again.

Was cookie used during second connection attempt if cookie was first generated by gateway itself?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!