>
    CIE (SAML) Authentication using Embedded Web-view
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect User Authentication
    4. CIE (SAML) Authentication using Embedded Web-view
    Download PDF
    GlobalProtect

    CIE (SAML) Authentication using Embedded Web-view

    Table of Contents

    CIE (SAML) Authentication using Embedded Web-view

    Embedded Web View With CIE For Force Authentication
    Where Can I Use This?What Do I Need?
    • GlobalProtect Subscription
    • PAN-OS 11.2 (or a later PAN-OS version)
    • GlobalProtect app 6.3.0 and later
    • GlobalProtect endpoints running on Windows and macOS
    GlobalProtect now supports CIE (SAML) authentication using embedded web-view without using any pre-deployment configuration. The enhancement also supports force authentication and enables end users to authenticate again while reconnecting to the app even when the SAML token remains valid and helps enterprises to achieve security compliance.
    Previously, users were not prompted to re-authenticate when they tried to reconnect to the app using the CIE authentication method. You can now configure the GlobalProtect app to prompt the end users to reenter their credentials to authenticate whenever they reconnect the GlobalProtect app using the Cloud Identity Engine (CIE) authentication method.
    GlobalProtect app with Connect Before Logon (CBL) installed on Windows endpoints requires the use of the default browser for SAML authentication.
    Use the following procedure to configure the app to prompt to re-authenticate while reconnecting to the app:
    1. Configure cloud identity engine with Force authentication option in the authentication profile to authenticate users with the CIE authentication method.
    2. Configure GlobalProtect portal by adding the authentication profile that you created.
    3. Configure GlobalProtect gateway by adding the authentication profile that you created.
    4. (Optional)Configure Authentication override cookie.
    5. Configure the GlobalProtect app to use the embedded browser for CIE authentication and prompt the end user to reauthenticate when the app is reconnected.
      1. Disable the Use Default Browser for SAML Authentication option in the app settings of the portal configuration
        1. Select NetworkGlobalProtectPortals<portal-config>Agent<agent-config>App.
        2. In the App Configurations area, set Use Default Browser for SAML Authentication option to No to enable the GlobalProtect app to open the embedded browser for CIE authentication. After you set the option as No and when the GlobalProtect app tries to reconnect, the app prompts the end users to reauthenticate using CIE as the authentication method.
      2. Disable the Use default browser for embedded browser option in the Client Authentication settings of the portal configuration.
        1. Select NetworkGlobalProtectPortals<portal-config>Authentication<client-authentication-config> .
        2. Disable (clear) the Use default browser option in the Client Authentication window in order to enable the GlobalProtect app to open the embedded browser for CIE authentication.
      3. Click OK.
      4. Commit the configuration.
    6. Verify GlobalProtect Logs and System Logs on the firewall and PanGPS logs on the endpoints to ensure that the reauthentication happens when end users use the CIE authentication method and try to reconnect to the app.

    © 2025 Palo Alto Networks, Inc. All rights reserved.