05-11-2022 07:45 AM
Users can't complete authentication to the Global Protect portal with Azure SAML auth. When I go to the portal address in a web browser it redirects me to an Office 365 login, I enter my credentials and MFA code, it sits on a login.microsoftonline.com URL loading and eventually fails with the this URLin the address bar, <global-protect-url>/SAML20/SP/ACS. Chrome returns an ERR_EMPTY_RESPONSE, Firefox returns a message saying, "The page you are trying to view cannot be shown because the authenticity of the received data could not be verified."
I followed this documentation for setting up the Azure SAML authentication: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE
The user authenticates successfully on the Azure side but the authentication never gets passed back to the firewall.
If I switch the authentication for the portal over to LDAP I can login. Computer with the Global Protect agent can't connect either but I switched to troubleshooting in the browser to eliminate the agent version being an issue.
05-12-2022 06:57 AM
Hi,
In my case, it was a network issue. Enabling Adjust MSS with default value on the interface hosting GlobalProtect Portal solved the problem.
Regards,
05-12-2022 06:57 AM
Hi,
In my case, it was a network issue. Enabling Adjust MSS with default value on the interface hosting GlobalProtect Portal solved the problem.
Regards,
05-12-2022 07:41 AM
This solved it, thank you. We had to enable this setting for our WAN interface a while back too. Do you have any idea why it would all of a sudden need to be enabled? Global Protect has been working for a few months now up until the other day.
05-12-2022 07:53 AM
I suppose that something has to change in the communication path which caused problems with TCP packets with too big payload (maybe some extra encapsulation).
In my case, the issue occurs on PA-VM Hyper-V, but I have PA-VM on VMWare, where SAML is working without any adjustments.
05-12-2022 07:59 AM
Our firewall is a PA-VM on Hyper-V as well so that is interesting.
My thought as well, I have a support ticket open but haven't gotten response after 2 days. If they ever respond I'll see if they can confirm that or agree that is a likely explanation. If they give any helpful info I'll post back here for anyone having this issue in the future.
02-29-2024 09:23 AM
Give more detail on the fix, I am having the same issue but unable to follow your direction.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
