I do not think this link is the answer to SSO features with Clientless GlobalProtect. This only shows how to setup Okta saml authentication for GlobalProtect clientless vpn and how to create a bookmark that will allow a workaround for IDP initiated workflow. What this thread is talking about it allowing you to use SSO between different SP(service provider) applications configured in the same IDP. I have tried this with both Okta and Keycloak. I think the reason this does not work is because the firewall does not receive the session cookies that tell the IDP that it is the same session as the application trying to SSO to. Unfortunately I am not certain why this is a problem but I know that right now it does not work.
... View more