Setting Up SSO In GlobalProtect Clientless VPN Portal App

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Setting Up SSO In GlobalProtect Clientless VPN Portal App

L0 Member


I have a GP portal setup and working with a published app for VMware Horizon. Authentication to the portal is setup with Duo MFA and works as designed. The issue is that I would like to reduce the amount of authentications after the user logs in to the portal. When a user clicks on the the Horizon client HTML5 link, it opens the app page and presents another login. Our users must enter their username and password again to use the application. Is there a way to pass credentials from the Portal to the Horizon app without asking for re-authentication?


L4 Transporter

Hi Jesse,


Some clarification here: Have you setup the clientless VPN portal and VMWare Horizon as two different Service Provider Applications on the same IdP? Which means users have to log into the clientless vpn portal using sso creds once and again to VMware horizon app. We currently do not support SSO functionality.




Hi Varun,


Sorry I a very new to SAML and SSO with these two systems. The GP Portal is setup to authenticate using a RADIUS profile with Duo MFA that connects to AD. The Horizon system is setup for AD authentication.


Does this info help?

HI Jesse,


No, we do not support SSO in that case.

I have the same question.

At the GP Clientless portal we use LDAP authendication

At the web application we use the same LDAP authendication


It it possible somehow to forward the credentials used on the GP Portal to the web application as well?

That's not currently supported.


I have the same question.

i have some applications configure in clientless vpn and the GP portal is accessible via AD authentication. how can we use SSO with clientless as users use AD authentication to access those applications?

L1 Bithead

Shame there's no solution to this. I want users to log into clientless vpn once (SAML auth) and then SSO take over so published apps don't also request an authentication page.

I do not think this link is the answer to SSO  features with Clientless GlobalProtect. This only shows how to setup Okta saml authentication for GlobalProtect clientless vpn and how to create a bookmark that will allow a workaround for IDP initiated workflow. What this thread is talking about it allowing you to use SSO between different SP(service provider) applications configured in the same IDP. I have tried this with both Okta and Keycloak. I think the reason this does not work is because the firewall does not receive the session cookies that tell the IDP that it is the same session as the application trying to SSO to. Unfortunately I am not certain why this is a problem but I know that right now it does not work.


  • 9 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!