As part of the security hardening improvements for connect before login deployments
using SAML authentication, the behavior of the embedded browser used to communicate
with the IdP has changed to prevent users from navigating to other domains. Now, the
connect before login feature automatically adds the portal, gateway, and main domain
of the IdP to the trusted domain list, and prevents the user from navigating to
other domains. In cases where the IdP landing page uses additional domains (for
example to handle MFA authentication), you must manually add the additional domains
as a comma-separated list to the
TrustedIdPDomains
registry
value under the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\CBL
.