Global Protect Google SAML Authentication Failure

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect Google SAML Authentication Failure

L1 Bithead

Hello Community,

 

We have been working on changing out our local LDAP authentication to google SAML for our globalprotect login on both our gateway and portal. Authentication for the gateway works as intended but the portal auth refuses to complete. A successful handshake between google and the paloalto is made via the certificate and I can login with any user, but the portal connection fails to complete and a google 403 error (app_not_configured_for_user) appears (attached a screenshot for reference). The service has already been turned on within the google SAML app webpage for all users. 

 

The encoded SAML request and response all match up. ACS and Entity IDs match with no deviations (ie no misplaced uppercase letters). 

 

If it's any hint, the Test SAML Login option within the Google Admin SAML app page brings me to PaloAltos login page and allows me to use my proper google account, however I am greeted with a Paloalto page that says Authentication Failed (attached screenshot for splash page). 

 

TAC said everything looks fine on the firewall side of things. Google support has been contacted but so far they haven't been very useful. 

 

Has anyone else experienced this issue? Any advice would be greatly appreciated. 

1 accepted solution

Accepted Solutions

Okay, after spending a lot of time between Google and PaloAlto I was finally able to resolve my issue. The problem I was running into was unique and may not be what you were experiencing.

 

3 factors in tandem created this error. First off, the GP client 6.2.2 does NOT work with SAML authentication through google. Upgrading to 6.2.3 helped resolve my issues. Secondly, I had to create a 2nd certificate for SAML IDP and reconfigure the Authentication profile with the new cert after marking it as it's own CA. Finally, some of my commits had failed and I hadn't known until searching through the logs via CLI. After restarting the firewall's manage service I was able to clear changes stuck in limbo and reapply some of the changes I made.

 

Again, my issue was pretty unique but I hope this helps you. 

View solution in original post

3 REPLIES 3

L0 Member

Hello, We have the same problem. Plase, i would appreciate it if could comment on whether managed to resolve the case.

Hello Socteamperu,

According to TAC my issue is on the google side of things. I am still working with Google to get this issue resolved. I will return the results when able. 

Okay, after spending a lot of time between Google and PaloAlto I was finally able to resolve my issue. The problem I was running into was unique and may not be what you were experiencing.

 

3 factors in tandem created this error. First off, the GP client 6.2.2 does NOT work with SAML authentication through google. Upgrading to 6.2.3 helped resolve my issues. Secondly, I had to create a 2nd certificate for SAML IDP and reconfigure the Authentication profile with the new cert after marking it as it's own CA. Finally, some of my commits had failed and I hadn't known until searching through the logs via CLI. After restarting the firewall's manage service I was able to clear changes stuck in limbo and reapply some of the changes I made.

 

Again, my issue was pretty unique but I hope this helps you. 

  • 1 accepted solution
  • 1778 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!