- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-01-2021 10:01 AM
Hi everyone, I am hoping someone may have seen this before and may have some guidance. I have a fully functioning GlobalProtect OnDemand system with LDAP + SAML setup and working well outside of the pre-login. Once logged in, everything works as expected - the Portal authenticates you with LDAP and then the Gateway pops the webpage (using GP, not default browser) and prompts for SAML. Pre-login wise if I switch to only LDAP, no SAML, it works great, but I need SAML for my 2FA provider. The issue is that the browser that GlobalProtect pops does not run the necessary JavaScript to function so SAML is never requested. It instead errors out on line 0 and the browser just has a spinning wheel on it.
I've already added the 2FA provider's domain to first the Trusted Sites and then the Intranet zone and ensured all things scripting are set to run, as it looks like an IE/Internet Options issue. I've also tried setting GP to use the default browser but none of those seem to do the trick. I have a ticket in with the vendor (SAASPASS) but I thought I'd check here too because I don't know that this problem is specific to them. If anyone had any thoughts that would be much appreciated. Thanks!
02-01-2021 09:52 PM
Which GP version you are running?
Did you test this on Chrome?
Regard
02-02-2021 06:54 AM
We're on 5.2.4 which I believe is the latest version at this time.
I can't test it on Chrome because as I said this is only a problem with Pre-Login. Once you're logged into Windows, it works just fine using either the GP Browser or Chrome. Pre-Login though there's no option for another browser as far as I can tell. I've tried toggling the Use Default Browser option but it still pops the same built-in GP browser window Pre-Login - I'm guessing because it can't yet read your default browser.
😞
02-02-2021 07:02 AM
The most recent GlobalProtect agent is 5.2.5, but I don't think an upgrade is going to help you here. Taking that site out of trusted sites (that's not going to be read at the login page anyways) do you actually need to do anything to get the site to function properly.
02-02-2021 07:07 AM
Thanks, I'll try updating to 5.2.5 anyway. There's no user interaction required for anything normally. It just loads itself up and requests login. I was wondering if anyone else is using this setup and has had success with it? Or maybe it's just a JavaScript Pre-Login issue? I wouldn't mind going the Cert route for pre-login instead but as far as I can tell the cert is required whether you're doing pre-login or not, which doesn't bode well for home computers which we have no control over.
06-08-2022 06:23 AM
I am having the same issue, Is this Pre-login screen issue resolved after upgrade?
06-08-2022 06:41 AM
So your issue doesn't look like it is Pre-Logon. You're already logged into Windows so whatever is going on with you seems to be Post-Logon. I spent the time and went the Certificate route for Pre-Logon anyway and it was definitely worth and time and investment. Getting things working properly with your internal CA was the most difficult part but it works really well. I'd recommend upgrading if you haven't. There have been a ton of fixes since 5.2.5
06-08-2022 06:58 AM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!