GlobalProtect
Manage Browser Selection for SAML Authentication
Table of Contents
Manage Browser Selection for SAML Authentication
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Starting with PAN-OS version 11.1.0, the default browser selection for SAML
authentication is set at the GlobalProtect client authenticaiton level. This setting
controls whether the GlobalProtect app uses the device's default browser for the
initial SAML or CAS authentication to the portal.
With this feature, you can select the Use Default Browser
option to use the device's default web browser (instead of the GlobalProtect
embedded browser) to complete the authentication workflow. Follow the steps below to
access this option:
- On Panorama, navigate to
![]()
- On Strata Cloud Manager, follow the steps below:
- Enable the feature flag for Use Default Browser.
- Navigate to
![]()
Post-Upgrade Behavior Logic
When upgrading from a PAN-OS version earlier than 11.1.0, the system performs a
migration check across all existing GlobalProtect agent configurations:
- If any portal agent configuration had the deprecated Use Default Browser for SAML Authentication option enabled, the new portal-wide Use Default Browser option is automatically selected after the upgrade. This is true for both Panorama and Strata Cloud Manager environments.
- If all agent configurations had the setting disabled, the Use Default Browser option will not be enabled.
Example Upgrade Scenario 1 (Default Browser is Enabled)
This scenario shows the result of a mixed configuration after migration.
| PAN-OS version 11.0.x | After upgrade to PAN-OS version 11.1.x and later |
|---|---|
Portal configuration is as follows:
Client authentication setting: SAML auth - default: os=all
With this configuration, Windows users use the embedded browser
and all other users use the default browser. |
The Use Default Browser option is automatically
enabled in the Client Authentication configuration. All users will now
start using the default browser, overriding the Windows-specific
setting.
|
Example Scenario 2 (Restoring OS-Specific Browser Behavior)
The pre-upgrade configuration for this scenario is as follows:
Agent portal settings are :
- Agent-config-windows: Embedded Browser
- Agent-config-macos: Default Browser
- Agent-config-default: Default Browser
Client authentication setting: SAML auth - default: os=all, use-default-browser=yes
(Default Browser)
After upgrading to PAN-OS 11.2.0 or later, the Use Default
Browser option is enabled in the client authentication configuration
instead of the in agent-configuration, so all users will start using the default
browser.
In order to retain the pre-upgrade behavior, set the client authentication as
follows:
- SAML auth - os=windows, use-default-browser=no (Embedded Browser)
- SAML auth - macos: os=macos, use-default-browser=yes (Default Browser)
- SAML auth - default: os=all, use-default-browser=yes (Default Browser)
These settings will enable Windows users to use the embedded browser for SAML
authentication and all other OS users to use the default browser.
Downgrade Behavior
If you downgrade the PAN-OS version from 11.1.0 to an earlier version, the
Use Default Browser configuration in the client
authentication setting will be automatically removed. You must revert to using
predeployment registry key/plist settings to manage the browser preference.
GlobalProtect gateway authentication configurations are not
affected during the upgrade or downgrade scenarios.