This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Global Protect Portal / Clientless VPN does not recognize SAML username after update to 10.1.14-h20

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect Portal / Clientless VPN does not recognize SAML username after update to 10.1.14-h20

mszczuka
L0 Member

‎01-23-2026 02:54 AM

After updating our firewall from 10.1.13 to 10.1.14-h20 as per CVE-2026-0227, it's no longer possible to access the GP Portal via a web browser: the authentication via SAML continues to work but now gives back an error page.

 

Checking the GlobalProtect log gives the error message "Username from SAML SSO response is different from the input".

 

That seems to be patently untrue - the SAML username is identical to the name given for the login. This is also confirmed with debugging tools in the browser that show the SAML username being sent in the headers. Also I checked the name of the SAML attribute in our IdP configuraton.

 

Checking the appweb3-sslvpn.log gives the log message:

... panGlobalProtectLogin(panPhpGlobalProtect.c:3312): saml_username is , but input user is <username>, mismatch!

 

Has something changed in the processing of SAML logins for the h20 hotfix? 

 

Fortunately, this issue ONLY affects the web based access to the portal (i.e. for GP client downloads or to access the clientless VPN). A SAML authentication with a GP client still works as expected and the VPN is established as before.

 

I tried to raise a ticket with our support partner but I only got some general links to SAML configuration KB articles. I tried changing the "Primary Username" in the User Attributes (Device -> User Identification -> Group Mapping Settings -> User and Group Attributes) to something other than "uid" but that does not seem to have any noticeable effect what so ever - even if the "Primary Username" is set to an invalid attribute name. (The SAML login will still work with the GP client and it will result in an error for browser based acces to the portal.)

 

After troubleshooting this for a couple of hours, I only see a potential issue:

  • the GlobalProtect log mentions saml_username (saml_underscore_username)
  • the HTTP header for the specific POST request lists a header saml-username (saml_dash_username)

I assume that this is just semantics and shouldn't be taken too seriously, but other than that I have nothing.

 

Any ideas?

0 Likes Likes
0 REPLIES 0
  • 330 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks