05-27-2025 07:42 AM
If I had hair left I would be ripping it out.
We have Global Protect + SAML multifactor using the default browser for that SAML. It has worked ok for more than a year.
Then magically, early this month, up to a dozen users a day after completing the multi-factor are redirected to Global Protect's Client Download page instead of the "Authentication Complete" Page.
How does the browser detect that the client is installed and should present the Auth Complete page vs the client download page?
05-27-2025 12:20 PM
I'm not sure what saml identity engine you are using. But gp should redirect the user to the saml login page, and then your saml engine will send you to the global protect gateway. But it has a certificate that is used to validate that everything happened, and it sends additional saml parameters from the ldap to the gateway, like who signed in and such. This is highly simplified.
First question when saml breaks on a seemingly random day after work fine is, Has my certificate expired? Usually this is the easiest thing to check. Microsoft Entra its in the enterprise applications search page will shows the expiry date, with out even going into the app settings..
Next would be if you made any recent changes? Gp updates or panos updates ect. I know gp doesn't support firefox browser for example, so that shouldn't be the default browser. Try different os default browsers on someone known to have issues. I guess a os patch or browser update could break this. If using something like Microsoft Entra ID, did you make any (mfa/device registration) conditional access changes.
You can also setup a test user and have them use the gp integrated browser. Under your global protect portals config tab, and then the agent sub tab. You can clone your main portal agent config and set it higher than the original, and specify a new ldap group for the test group. Everyone not a member will filter down to the original. The hard part is getting the new settings to transfer to the machine.
Good luck.
05-28-2025 08:34 AM
We are using the on-prem identity engine though, that should not matter in this case. We have not made any changes to Global Protect Firewalls or certs within the time frame our issues started cropping up, its been running fine for a year+.
We are stuck with default browser on our current GP client version (6.1.3) as our SAML page does not display in the older non-edge integrated browser.
The piece I cannot get a straight answer from Support on is by what mechanism does the portal decide to display the client download page vs the authentication complete page
05-29-2025 11:48 AM
There is a shared secret or normally a certificate used to sign the result from the login, which is handled by the saml identity engine. Otherwise anyone could guess and send a valid login response, and the global protect client would trust it. This particular cert/key is only used for the saml process. The redirect after login is normally something sent along with the saml request, I believe. You normally have a list of valid url address that are allowed to be redirected to in the identity engine side, so again, it can't be spoofed to send a valid response to somewhere else. SAML is open standard, so there could potentially be some other methods that it can do. My saml identity engine experience is only with Microsoft AD Federates Service on prem and azure ad, and I claim to only know enough to be dangerous, I am not a expert with it at all.
You can check the certificate info on your palo by going to the Device->Server Profiles->SAML Identity Provider Server Profile
Then select the profile associated with the global protect portal in question.
Then it should list a name for the certificate that is used, if one is used.
Then with that name in hand, you can go to the Device->Certificate Management->Certificate, and that cert should be listed there, and have its expiry date.
But I'm not sure if this would cause that particular problem. You have to authenticate to login to both the gp client downloads portal and gp auth.
05-29-2025 02:36 PM
Hi @DrewNumberTwo ,
I am curious what changed. Was there a GP upgrade? Did someone change a URL in your IdP? For example, Entra has a sign-on URL, an Entity ID URL, and a Reply URL. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE I don't know if one of those is used for successful authentication.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
