>
    CIE (SAML) Authentication using Embedded Web-view
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect User Authentication
    4. CIE (SAML) Authentication using Embedded Web-view
    Download PDF
    GlobalProtect

    CIE (SAML) Authentication using Embedded Web-view

    Table of Contents

    CIE (SAML) Authentication using Embedded Web-view

    Embedded Web View With CIE For Force Authentication
    Where Can I Use This?
    What Do I Need?
    • GlobalProtect Subscription
    • PAN-OS 11.2 (or a later PAN-OS version)
    • GlobalProtect app 6.3 version
    • GlobalProtect endpoints running on Windows and macOS
    GlobalProtect now supports CIE (SAML) authentication using embedded web-view without using any pre-deployment configuration.
    The enhancement also supports force authentication and enables end users to authenticate again while reconnecting to the app even when the SAML token remains valid and helps enterprises to achieve security compliance.
    Previously, users were not prompted to re-authenticate when they tried to reconnect to the app using the CIE authentication method. You can now configure the GlobalProtect app to prompt the end users to reenter their credentials to authenticate whenever they reconnect the GlobalProtect app using the Cloud Identity Engine (CIE) authentication method.
    Starting with GlobalProtect 6.2.3, the embedded browser framework for SAML authentication has been upgraded to Microsoft Edge WebView2 (Windows) and WebKit (macOS). This provides a consistent experience between the embedded browser and the GlobalProtect client. WebView2 and WebKit are also compatible with FIDO2-based authentication methods. For more information, see the Microsoft Edge WebView2 documentation.
    By default, tenants using SAML authentication are configured to utilize the embedded WebView2 (Windows) or WebKit (macOS) instead of relying on the system's default browser. With this enhancement, there's no need for end users to configure a SAML landing page, eliminating the necessity to manually close the browser. This streamlines the authentication process.
    In a Microsoft entra-joined environment with SSO enabled, users are not required to enter their credentials in order to authenticate to Prisma Access using GlobalProtect. This seamless experience is true whether the user is logging in to their environment for the first time or whether they have logged in before. If there is an error during the authentication, it is displayed in the embedded browser. This authentication process works across all device states.
    In a non entra-joined environment with SSO enabled, users must enter their credentials during the initial login. On subsequent logins, the credentials are auto-filled as long as the SAML identity provider (IdP) session is active and has not timed out.
    Use the following procedure to configure the app to prompt to re-authenticate while reconnecting to the app:
    1. Configure cloud identity engine with Force authentication option in the authentication profile to authenticate users with the CIE authentication method.
    2. Configure GlobalProtect portal by adding the authentication profile that you created.
    3. Configure GlobalProtect gateway by adding the authentication profile that you created.
    4. (Optional)
      Configure Authentication override cookie.
    5. Configure the GlobalProtect app to use the embedded browser for CIE authentication and prompt the end user to reauthenticate when the app is reconnected.
      1. Disable the
        Use Default Browser for SAML Authentication
        option in the app settings of the portal configuration
        1. Select
          Network
          GlobalProtect
          Portals
          <portal-config>
          Agent
          <agent-config>
          App
          .
        2. In the App Configurations area, set
          Use Default Browser for SAML Authentication
           option to
          No
           to enable the GlobalProtect app to open the embedded browser for CIE authentication. After you set the option as
          No
           and when the GlobalProtect app tries to reconnect, the app prompts the end users to reauthenticate using CIE as the authentication method.
      2. Disable the
        Use default browser
        for embedded browser option in the Client Authentication settings of the portal configuration.
        1. Select
          Network
          GlobalProtect
          Portals
          <portal-config>
          Authentication
          <client-authentication-config>
          .
        2. Disable (clear) the
          Use default browser
           option in the
          Client Authentication
           window in order to enable the GlobalProtect app to open the embedded browser for CIE authentication.
      3. Click
        OK
        .
      4. Commit
         the configuration.
    6. Verify GlobalProtect Logs and System Logs on the firewall and PanGPS logs on the endpoints to ensure that the reauthentication happens when end users use the CIE authentication method and try to reconnect to the app.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.