10-21-2022 03:18 PM
Just to wrap this thread up, after a bit PA support got back to me and suggested disabling Dynamic Passwords for the Gateway under:
Global Protect -> Portals -> [portal config] -> Agent -> [agent config] -> Authentication
Something about having Dynamic Passwords enabled prevents the GP client from completing the Gateway connection when using SAML authentication. The SAML connection itself completes normally, but the client never completes its registration after authentication. Unfortunately, this also means that the GP client will cache and reuse the SAML token for every subsequent reconnection (default Azure token lifetime is 90 days). So if you are expecting to have a user/pass authentication every time a user attempts to connect, that will not happen. We are exploring if Azure can be changed to force a new MFA on reuse of existing SAML token.
