This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

IOS + User logon (Always On) + SAML is not working...

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IOS + User logon (Always On) + SAML is not working...

rxie
L3 Networker

‎03-17-2022 06:35 PM

>Founf this in the release note: GPC-6663

The GlobalProtect app for iOS does not support SAML authentication when you configure GlobalProtect with the User-logon (Always On) Connect Method (NetworkGlobalProtectPortals<portal-config>Agent<agent-config>App). This limitation is due to the Apple Network Extension framework, which blocks network connections from the GlobalProtect app (where users are authenticated to their organization’s SAML identity provider) until the VPN tunnel is created. #https://docs.paloaltonetworks.com/globalprotect/4-1/globalprotect-app-release-notes/gp-app-release-i...

 

>In the newer versions 5.1,5.2,5.3 and 6.0 I didn't see information that this issue got fixed, (since it's due to the Apple Network Extension framework, probably it can not be fixed on our side alone?).

 

>Work around found here in this article, please follow the resolution to configure On-demand as Connect Method for IOS devices. #https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMfYCAW

 

>Is there any solution to this?

4 people had this problem.
(1)
2 REPLIES 2

Joseph.Johnson
L0 Member

‎10-28-2022 06:55 PM

We're experiencing the same issue. Appreciate the insight. After applying your linked work around I'm unable to get the iOS agent config selection criteria to apply despite being having the iOS os specific profile above the any OS profile. Used no login banner in the iOS profile to distinguish between the 2 profiles. I still see the login banner and get the app notification "Always on mode is enabled. Please login to continue". Regardless submitted PA-TAC ticket and will post how we resolve.

Preview file
282 KB
0 Likes Likes

dmifsud
L3 Networker

‎10-30-2022 01:23 PM

SAML is only supported for iOS with On-Demand.

 

What Features Does GlobalProtect Support? (paloaltonetworks.com)

Sr. Technical Support Engineer, Strata
0 Likes Likes
  • 5153 Views
  • 2 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks