GP -> SAML -> EntraID Windows users vs Mac user experience issues

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GP -> SAML -> EntraID Windows users vs Mac user experience issues

L1 Bithead

Got a weird one and I'm on Mac so short of pestering my colleagues reaching out to the greater community while I wait on support to attempt to triage.

 

GP client 6.2.3 - PAN 11.1.2

 

GP setup;

  • using default browser to support our yubikey users
  • using auth override cookies
    • portal creates
    • gateway accepts

Problem comes with a super annoying user experience issue on windows and end-users hate it.

 

Windows client:  two tabs open in their browser when connecting. One says auth completed (yay) the other says auth failed (boo) - however users are connected fine. In the firewall monitor tab i see two outlier messages compared to our Mac users. An saml-out-of-band log and two logs that reflect the double browser. An auth success (fine great) and an auth failure with an empty username ( '').

Mac just works w/o issue. No dual tabs and neither of the two logs mentioned.

Anyone seen or experienced this? Were you able to resolve this?

6 REPLIES 6

Cyber Elite
Cyber Elite

Hi @plupini ,

 

One thing that is different about Entra SAML is that it already uses authentication cookies.  So, you do not need to configure Authentication Override on the NGFWs in order to avoid 2 MFA prompts like many other MFA configurations.  I would clear all of those check boxes on the portal and gateway and see what the behavior looks like.

 

On a similar note, the default cookie lifetime for Entra is 90 days.  I logged in once when we 1st set it up, and I didn't have to log in for days!  We later changed the lifetime for the Entra GP MFA app to 1 hour.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L1 Bithead

I'd be happy to try this change but what's odd is doesn't really explain why the experience changes simply from moving from embedded browser to the user's default browser. The embedded browser does not display this same behavior - neither in the logs or visibly to the end user.

 

It's also impacting Windows machines solely. Mac users have no issues with default browser.

 

I'm doing this in an enterprise environment without much of a testing gateway to pound on (although maybe I can get support to).

I'm likely going to be forced to roll back to embedded browser until support can confirm or deny this is a bug or something wrong with the configuration.

Prior to switching to SAML we were using LDAP+Radius for auth+mfa. Overrides were needed for Yubikeys so admittedly some carryover but I'm going off a knowledge based article (will dig up and link once i find it again)

Step 2 : https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-new-features/new-features-rele...

 

In order for the default system browser for SAML authentication to not open multiple tabs for each connection, we recommend that you configure an authentication override. For more information, see Cookie Authentication on the Portal or Gateway

 

When in fact it does not seem to make difference on Windows. I'm wondering if a GP bug? Still dealing with tier1 support triaging questions sadly

Cyber Elite
Cyber Elite

Hi @plupini ,

 

I currently use Entra SAML for GP.  I do not have Authentication Override configured.  I do not get 2 login prompts.  I understand that for most MFA configurations you should configure Authentication Override in order to not get prompted twice.  As I mentioned, because Entra SAML uses its own authentication cookies, configuring Authentication Override is not needed.

 

You didn't mention before that the embedded browser does not have the issue.  Like you, I have seen issues with the default browser and GP.  I would definitely switch to the embedded browser.  I have also seen the browser issues go away with a GP upgrade.

 

The current recommended version of GP for 6.2 is 6.2.2.  https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-...  It's generally best to stay with the recommended versions.  In this case, a downgrade may possibly help.

 

Thanks,

 

Tom

 

 

Help the community: Like helpful comments and mark solutions.

Apologies for that missing bit of information!

We enabled default browser to support Yubikey as it seems the GP embedded is not compatible. 

 

Appreciate the suggestions!

Cyber Elite
Cyber Elite

Hi @plupini ,

 

Thank you!  It is just a suggestion.  Maybe it will help. It really does seem like a default browser issue as you say.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 1728 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!