Where Can I Use This? | What Do I Need? |
GlobalProtect Subscription
|
PAN-OS 11.2 (or a later PAN-OS version) GlobalProtect app 6.0.9 and later or 6.2.3 and later GlobalProtect endpoints running on Windows and macOS
|
GlobalProtect now supports CIE (SAML) authentication using embedded
web-view without using any pre-deployment configuration. The enhancement also
supports force authentication and enables end users to authenticate again while
reconnecting to the app even when the SAML token remains valid and helps enterprises
to achieve security compliance.
The embedded browser framework for SAML authentication has now been upgraded to
Microsoft Edge WebView2 (Windows) and WKWebView (macOS). This provides a consistent
experience between the embedded browser and the GlobalProtect client. By default,
tenants using SAML authentication are configured to utilize the embedded WebView2
(Windows) or WKWebView (macOS) instead of relying on the system's default browser.
With this enhancement, there's no need for end users to configure a SAML landing
page, eliminating the necessity to manually close the browser. This streamlines the
authentication process.
In a Microsoft entra-joined environment with SSO enabled, users are not
required to enter their credentials in order to authenticate to Prisma Access using
GlobalProtect. This seamless experience is true whether the user is logging in to
their environment for the first time or whether they have logged in before. If there
is an error during the authentication, it is displayed in the embedded browser. This
authentication process works across all device states.
In a non entra-joined environment with SSO enabled, users must enter their
credentials during the initial login. On subsequent logins, the credentials are
auto-filled as long as the SAML identity provider (IdP) session is active and has
not timed out.
SAML authentication using the embedded browser is
supported on GlobalProtect for Windows only. However, Cross-Boundary Login (CBL)
with GlobalProtect for Windows requires the use of the default browser for SAML
authentication.
Use the following procedure to configure the app to prompt to re-authenticate while
reconnecting to the app: