Intermediate Certificate Authority Expiry impacting WF-500 WildFire Private Cloud and URL Filtering Private Cloud appliances
    1. Home
    2. GlobalProtect
    3. GlobalProtect™ App New Features Guide
    4. New Features Released in GlobalProtect App 5.2
    5. Default System Browser for SAML Authentication

    Default System Browser for SAML Authentication

    Software Support
    : Starting with GlobalProtect™ app 5.2 with Content Release version 8284-6139 or later and running PAN-OS 8.1.17, 9.0.11, 9.1.6, and 10.0.0 releases. If GlobalProtect app 5.1.x or an earlier release is running, the app will open an embedded browser in the GlobalProtect app.
    OS Support
    : Windows (requires Windows Installer [Msiexec] setting changes), macOS (requires property lists [plists] changes), Linux (XML file changes), iOS (requires MDM setting changes), and Android (requires MDM setting changes)
    Browser Support
    : Windows (Chrome, Edge, Internet Explorer, and Firefox), macOS (Safari, Chrome, and Firefox), Android (Chrome), iOS (Safari), and Linux (Firefox and Chrome)
    If you have configured the GlobalProtect portal to authenticate end users through Security Assertion Markup Language (SAML) authentication, end users can now connect to the app or other SAML-enabled applications without having to re-enter their credentials, for a seamless single sign-on (SSO) experience. End users can benefit from using the default system browser for SAML authentication because they can leverage the same login for GlobalProtect with their saved user credentials on the default system browser such as Chrome, Firefox, or Safari.
    In addition, on any browser that supports the Web Authentication (WebAuthn) API, you can use the Univeral 2nd Factor (U2F) security tokens such as YubiKeys for multi-factor authentication (MFA) to identify providers (ldPs) such as Onelogin or Okta.
    1. Change the pre-deployed settings, on Windows, macOS, Linux, and Android, and iOS endpoints to use the default system browser for SAML authentication.
      You must set the pre-deployed settings on the end user endpoints before you can enable the default system browser for SAML authentication. GlobalProtect retrieves these entries only once, when the GlobalProtect app initializes.
      If there is no pre-deployed value specified on the end users’ Windows or macOS endpoints when using the default system browser for SAML authentication, the
      Use Default Browser for SAML Authentication
       option is set to
      Yes
       in the portal configuration, and users upgrade the app from release 5.0.x or release 5.1.x to release 5.2.0 for the first time, the app will open an embedded browser instead of the default system browser. After users connect to the GlobalProtect app and the
      Use Default Browser for SAML Authentication
       option is set to
      Yes
       in the portal configuration, the app will open the default system browser on Windows and macOS endpoints at the next login.
      If the
      default browser
       value is set to
      Yes
       in the pre-deployed setting of the client machine and the
      Use Default Browser for SAML Authentication
       option is set to
      No
       in the portal configuration, end users will not have the best user experience. The app will open the default system browser for SAML authentication for the first time. Because the default browser values differ between the client machine and the portal, the app detects a mismatch and opens an embedded browser at the next login.
      The
      Use Default Browser for SAML Authentication
       option of the Globalprotect portal and the pre-deployed settings in the end user machine must have the same value to provide the best user experience.
    2. Set up SAML authentication to authenticate end users.
      In order for the default system browser for SAML authentication to not open multiple tabs for each connection, we recommend that you configure an authentication override. For more information, see Cookie Authentication on the Portal or Gateway.
    3. Enable the GlobalProtect app so that end users can leverage the same login for GlobalProtect and their default system browser for SAML authentication.
      1. Select
        Network
        GlobalProtect
        Portals
        <portal-config>
        Agent
        <agent-config>
        App
        Use Default Browser for SAML Authentication
        .
      2. Select
        Yes
         to enable the GlobalProtect app to open the default system browser for SAML authentication.
        If single-sign-on (SSO) is enabled, we recommend that you disable it. Set
        Use Single Sign-On (Windows)
         or
        Use Single Sign-On (macOS)
         to
        No
         to disable single sign-on when using the default system browser for SAML authentication.
    4. Click
      OK
       twice.
    5. Commit
       the configuration.
    6. Verify that end users can successfully authenticate to the ldP using their saved credentials.
      1. Select
        Refresh Connection
        ,
        Connect
        , or
        Enable
         on the GlobalProtect app to initiate the connection.
        A new tab on the default browser of the system will open for SAML authentication.
      2. Login using the username and password to authenticate on the ldP. For example:
      3. After end users can successfully authenticate on the ldP, click
        Open GlobalProtect
        .
      4. Connect to the GlobalProtect app or other SAML-enabled applications without re-entering the user credentials.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo