09-30-2021 09:32 AM
Using PanOS 9.1.10 and GP Client 5.2.8
We have Okta authentication set up and working on our GP portals, but a strange issue was causing failures for quite a while, and we couldn't figure it out even working with Palo Alto tech support for many days. The issue was that authentication would succeed, and then the GP agent would tell us, "You are not authorized to connect to GlobalProtect portal." The symptoms were very much the same as another reported issue, here: https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000PLSO but the root cause was a little different, because you could clearly see the User-IDs were associated with the AD groups we expected when you viewed them with the "show users" CLI command.
As it turns out, the GP Agent was failing at trying to download its client configuration, because we had Config Selection Criteria associated with AD Groups, but it could not match up logins from Okta with those groups. This always worked prior to implementing Okta, regardless of whether you used the UPN or SAM to log in - we've got both login types supported and enabled in User-ID. Furthermore, the Okta authentication was correctly discriminating based on AD groups during the Authentication phase - and there were never any helpful error logs either on the Firewall or in the GP Portal it indicate a failure. Everything in the logs indicated a success, right up until the final error message. As soon as we removed the groups from Config Selection Criteria and permitted "all" users to download the config, everything worked.
So this appears to perhaps be a bug, but definitely an issue unknown to the Palo community, and a failure in logging. It's possible there is a configuration change in Okta or on the Palo that would have circumvented this issue without necessitating us to select "all" for the config selection criteria, but I don't know what that might be. Nothing in Okta or PA knowledgebase addressed the issue, I could find no community posts reporting the same problem, and the PA techs were stumped. I wanted to create a post to bring this to everyone's attention.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!