01-02-2024 06:45 AM
Hello all .
Seem to be casting into an empty pool here but will try anyway.
My issue is with Multi Auth profiles using Global Protect & Prisma Access.
If you use more than one IDP you can only match against one profile , hence you can't use multi profile.
So recommended is CIE multi Auth .
You setup your IDPs in here , easy peasy and it works.
Only problem is when you authenticate against the CIE multi Auth .
You get a new PAlo Alto landing page which requires you to enter your user ID so CIE can work out which IDP to point you towards.
This breaks SSO completely . SO , if like me you allow Windows authentication FIRST before GP starts , CIE does not use the already granted token because it does not know which directory to point it at , hence you have to enter a users name,, it then is able to see the token is valid and authentication is satisfied and we move on .
Pretty dumb as is completely break SSO . The only option is to move from a working fully integrated IDP to one where users have to enter their user ID.
TAC tells me this is expected behaviour . I can't believe this is actually true as it makes no sense at all to break SSO .
As usual there is no documentation (or I cant find it) on how to configure Mutli Auth profiles to cater for this limitation.
There might be some Kung Fu in global protect thats allows it ?
Anyone else seen this ?????
HELP !!!
01-10-2024 01:46 AM
Hello Elizabeth32.
Finally got some traction on it . My SE Rob has been excellent.
It is expected behaviour. Ergo SSO gets broken on purpose.
The reasoning on this seem to be that CIE cannot interpret the token . So the defined method is to add a proxy type layer where the users inserts their username into a landing page and CIE directs accordingly .
The workaround is to use the default browser on the endpoint and create a dummy record in the password management of the browser for the CIE landing page, this automatically completes the users input but there is still a submit button .
It is a work around for now but it still breaks SSO .
My SE setup a meeting with the IAM guru for Europe and we went through the scenario , it is a weaknesses which is well recognised by Palo .
Seems the best way is to be able to assign an authentication profile to the Global Protect policy which takes away the need to have that proxy landing page and does away with the multi profile CIE policy .
They have actually put. a change request in for this or something similar.
Very positive input from Palo . Just a huge shame TAC were not aware of how this works and took ages to try and diagnose.
05-19-2024 07:12 PM - edited 05-19-2024 08:26 PM
This is the screen that I have seen, I have configured the group, else the multi profile wont work. I have also set default profile. The SSO is not seemless compared to pointing to Entra ID directly. Is this fixed?
@gcollins5 , may I know what's the "change request" ID, so I can reference it.
08-01-2024 12:48 AM
My bad didn't answer this . I will reach out to my SE to find it .
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
