| Where Can I Use This? | What Do I Need? |
|---|
- NGFW (managed by Panorama or Strata Cloud Manager)
- Prisma Access (managed by Panorama or Strata Cloud
Manager)
|
|
Starting with PAN-OS version 11.1.0, the browser selection for SAML authentication is
set at the GlobalProtect client authentication configuration. This setting controls
whether the GlobalProtect app uses the device's default browser or the GlobalProtect
embedded browser for the SAML or CAS authentication to the portal. The new setting
has precedence over the now deprecated agent config setting
To specify the browser, follow the steps below:
- On Panorama:
- Navigate to
- Select the Use Default Browser option to use
the default browser for the SAML or CAS authentication. Leave the
checkbox unselected to use the embedded browser.
- Commit and push your updates.
- The Use Default Browser option is hidden under a
feature flag on Strata Cloud Manager environments. Reach out to your
customer support representative to enable it. Then follow the steps
below.
- Navigate to
- Select the Use Default Browser option to use
the default browser for the SAML or CAS authentication. Leave the
checkbox unselected to use the embedded browser.
- Commit and push your updates.
Post-Upgrade Behavior Logic
When you upgrade from an earlier PAN-OS version to 11.1.0 or later, the system
performs a check across all existing GlobalProtect agent configurations:
- If one or more portal agent configuration had the deprecated Use
Default Browser for SAML Authentication option enabled, the
new Use Default Browser option is automatically
selected after the upgrade. This is true for both Panorama and Strata Cloud
Manager environments.
- If all portal agent configurations had the Use Default Browser
for SAML Authentication setting disabled, the Use
Default Browser option is unchecked for all client
authentication configurations after the upgrade.
Example Upgrade Scenario 1 (Default Browser is Enabled)
This scenario shows the result of a mixed configuration after migration.
| PAN-OS version 11.0.x or earlier | After upgrade to PAN-OS version 11.1.x and later |
Portal configuration () is as follows:- Agent-config-windows: Embedded Browser
- Agent-config-macos: Default Browser
- Agent-config-default: Default Browser
Client authentication setting: (): SAML auth - default: os=all With this
configuration, Windows users use the embedded browser and all other
users use the default browser. |
The Use Default Browser option is automatically
enabled in the Client Authentication configuration. All users will now
start using the default browser, overriding the Windows-specific
setting.
|
Example Scenario 2
| PAN-OS version 11.0.x or earlier | After upgrade to PAN-OS version 11.1.x and later |
Portal configuration () is as follows:- Agent-config-windows: Embedded Browser
- Agent-config-macos: Default Browser
- Agent-config-default: Default Browser
Client authentication setting (): SAML auth - default: os=all, use-default-browser=yes
(Default Browser) |
The Use Default Browser option has precedence over
agent-configuration setting. All users will now start using the default
browser.
|
In order to retain the pre-upgrade behavior, set the client authentication as
follows:
- SAML auth - windows: os=windows, use-default-browser=no (Embedded Browser)
- SAML auth - macos: os=macos, use-default-browser=yes (Default Browser)
- SAML auth - default: os=all, use-default-browser=yes (Default Browser)
These settings will enable Windows users to use the embedded browser for SAML
authentication and all other OS users to use the default browser.
Downgrade Behavior
If you downgrade the PAN-OS version from 11.1.0 to an earlier version, the
Use Default Browser configuration in the client
authentication setting will be automatically removed. You must revert to using the
portal agent option Use Default Browser for SAML
Authentication.
GlobalProtect gateway authentication configurations are not
affected during the upgrade or downgrade scenarios. Client use of default/embedded
browser for SAML authentication is controlled via the portal settings.
