12-09-2025 12:31 PM
Good Morning ,
I am currently working on implementing Global Protect with Duo SSO integration for user authentication . Although all the following configuration elements appear to be in place I am getting the following error message when attempting to access the portal . Can you please advise what may be going wrong her e?
Thank you in advance
12-17-2025 12:27 PM
This is the #1 cause of this error with GlobalProtect + Duo.
Facts:
Duo SSO strictly validates the ACS URL in the SAML request
GlobalProtect portal and gateway have different ACS URLs
If the ACS URL configured in Duo does not exactly match what PAN-OS sends, Duo rejects the request
For GlobalProtect Portal, the ACS URL must be:
https://<portal-fqdn>/SAML20/SP/ACS
This must match character-for-character in:
Duo SSO Application → Service Provider → ACS URL
PAN-OS Authentication Profile → SAML Identity Provider
Palo Alto explicitly documents that any mismatch causes authentication failure before assertion is issued.
Duo validates the SAML Issuer / Entity ID.
For GlobalProtect:
The Entity ID is defined in PAN-OS under the SAML IdP profile
Duo must be configured with the exact same value
If the Entity ID differs (even by trailing slash), Duo will show this error page.
This is confirmed in Duo SSO SAML troubleshooting documentation.
Confirmed behavior:
GlobalProtect signs SAML requests
Duo requires the signing certificate uploaded in the Duo SSO app
If PAN-OS uses a different certificate than the one Duo has, the request is rejected
Common mistake:
Admin uploads the portal SSL certificate instead of the SAML signing certificate
Or rotates the cert on PAN-OS but does not update Duo
Palo Alto documentation explicitly states the SAML signing certificate must match the IdP configuration.
Duo SSO requires:
A valid NameID
In a format it expects (usually emailAddress or unspecified)
If PAN-OS sends:
DOMAIN\username
while Duo expects user@domain
Duo will fail the transaction and display this page.
Duo documents this exact failure mode for SAML apps.
12-17-2025 12:27 PM
This is the #1 cause of this error with GlobalProtect + Duo.
Facts:
Duo SSO strictly validates the ACS URL in the SAML request
GlobalProtect portal and gateway have different ACS URLs
If the ACS URL configured in Duo does not exactly match what PAN-OS sends, Duo rejects the request
For GlobalProtect Portal, the ACS URL must be:
https://<portal-fqdn>/SAML20/SP/ACS
This must match character-for-character in:
Duo SSO Application → Service Provider → ACS URL
PAN-OS Authentication Profile → SAML Identity Provider
Palo Alto explicitly documents that any mismatch causes authentication failure before assertion is issued.
Duo validates the SAML Issuer / Entity ID.
For GlobalProtect:
The Entity ID is defined in PAN-OS under the SAML IdP profile
Duo must be configured with the exact same value
If the Entity ID differs (even by trailing slash), Duo will show this error page.
This is confirmed in Duo SSO SAML troubleshooting documentation.
Confirmed behavior:
GlobalProtect signs SAML requests
Duo requires the signing certificate uploaded in the Duo SSO app
If PAN-OS uses a different certificate than the one Duo has, the request is rejected
Common mistake:
Admin uploads the portal SSL certificate instead of the SAML signing certificate
Or rotates the cert on PAN-OS but does not update Duo
Palo Alto documentation explicitly states the SAML signing certificate must match the IdP configuration.
Duo SSO requires:
A valid NameID
In a format it expects (usually emailAddress or unspecified)
If PAN-OS sends:
DOMAIN\username
while Duo expects user@domain
Duo will fail the transaction and display this page.
Duo documents this exact failure mode for SAML apps.
12-17-2025 01:22 PM
This is now resolved . Redeploying the Global Protect App in Duo application appears to have done the trick. Thank you
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
