12-18-2018 09:02 AM
Looking for GP authentication troublehsooting tips or if anyone else is experiencing authentication issues using SAML on globalprotect (effects every single agent version newer than 4.1.1). Our issue seems to only effect macOS users, but my shop is 99% mac users, the windows users rarely connect to the VPN and never complain.
We upgraded to PAN OS 8.1.5 earlier this month - this issue existed prior to, and after, the upgrade. We are using SAML with okta and the portal config to offer okta to a user on any OS other than linux. (linux users are using LDAP auth that works nicely).
Issue:
A fresh install of the GP agent: user logs in via SSO, connects and everything works as expected all day. The next day the user logs on to start work and can't login. The issue seems to be authentication cookie related - the user will sign in via the expected SSO sign in portal (okta in this case), then the agent reports "Connecting..." forever. The system logs on the NGFW report an expired cookie and then authentication success - but the agent never connects. The PanGPA.log log from the is particularly unhelpful, there is no single error (that I have been able to identify so far) that shows up on devices experiencing this issue. The agent just keeps trying to connect over and over - periodically displaying a non-sso login prompt (ie: a login prompt the thing is not even configured to display to a macOS user).
The errors in the system log indicate an expired cookie, the timeframe around this issue coincides with the 24 hour setting we have for cookie authentication override. So I have experimented in disabling auth cookie overrides in both the portal and gateway. This has resulted in the agent reporting authentication failures , "portal cannot be found" or "invalid portal" type errors on the agent.
