GlobalProtect "Connect Before Logon" not working with Duo SSO

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect "Connect Before Logon" not working with Duo SSO

L2 Linker

We recently implemented Duo Multi-Factor Authentication (MFA) and have configured GlobalProtect to use Duo's SSO service (which in turn Duo uses Azure AD for authenticating the user).  We are using SAML for authentication, so when the user clicks 'Connect',  GlobalProtect does the portal connection first and is told by the Palo Alto to open it's embedded browser, call the Duo SSO web service, which in turn calls the Azure AD SSO web service, collects and validates the user's username/password, then passes GP back to Duo to prompt for MFA which once approved is passed back to the Palo Alto to allow GP to connect to the portal.  The process is then repeated for the gateway, although we have the portal configured to use cookies so that the user doesn't get prompted for MFA twice.  This works fine when we are using Connect AFTER Logon (user logs into Windows first and then connects the VPN).

 

The issue we are having is with Connect BEFORE Logon.  With GlobalProtect 5.2.8, the browser window appears to be stuck between Azure AD and Duo MFA.  We see the Azure AD credentials authenticate succesfully and the Microsoft prompt goes away (so that must be working), and we briefly see the Duo MFA Universal Prompt attempt to open, but it flashes on the screen for a second and then the GP window just shows a blank window.  In the logs, the last thing we see GP do is open two Duo web service URLs.  Then nothing until we cancel GlobalProtect.  NOTE: I just tried 5.2.9 and it actually gets stuck earlier in the process, just after the user enters their Azure AD password.  It just hands on the "enter password" screen like it never gets back a "succesful".  In the 5.2.9 logs, i see the URL for the Azure AD login page, with the word BLOCK in front of it.  Does that make any sense?  

 

Any suggestions on how to troubleshoot this?  Is it the cookies maybe?  

1 REPLY 1

L0 Member

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNA4CAM

This worked for me.  Add your Duo API hostname into the registry key.

  • 3091 Views
  • 1 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!