09-29-2022 01:19 PM
I have spent the last 2 days bashing my head on his without success... We are changing an existing GP VPN from internal Radius authentication (plus other methods) to an external Azure SAML authentication. I have setup a SAML Server Profile and an Authentication Profile, set the GP Gateway to user SAML authentication, but the GP client always hangs at "Still Working..." after authenticating, it never successfully connects.
The PA GlobalProtect logs show a gateway-prelogin, but no further events. The PA System logs show a client redirect to the SAML authority and successful assertion back. The Azure SSO shows successful login event. But the GP client never completes the connection.
Using the built-in GP client browser (apparently IE), the first time I tried I got a user/pass login prompt, I have never subsequently received that. Setting the client configs to use the default system browser I get a browser SSO login page, authenticate, and PaloAlto successful login page with popup to launch GlobalProtect, but the client never connects. If I use SAML authentication on the Portal and anything else on the Gateway (i.e. cert/Radius/etc.) the SAML login to the Gateway works fine and the Portal login also works (on the alternate method). SAML just never completes on the Gateway.
I suspect this has something to do with website blocking when not connected to the VPN (always-on mode, block all traffic when not connected), but I have already added all relevant FQDNs to the bypass list, or something to do with the Attributes&Claims returned by Azure SSO. But so far I have not been able to find/change anything that makes a difference.
