GlobalProtect
Manage Browser Selection for SAML Authentication
Table of Contents
Manage Browser Selection for SAML Authentication
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Starting with PAN-OS version 11.1.0, the browser selection for SAML authentication is
set at the GlobalProtect client authentication configuration. This setting controls
whether the GlobalProtect app uses the device's default browser or the GlobalProtect
embedded browser for the SAML or CAS authentication to the portal.
To specify the browser, follow the steps below:
- On Panorama:
- Navigate to
![]()
- Select the Use Default Browser option to use the default browser for the SAML or CAS authentication. Leave the checkbox unselected to use the embedded browser.
- Commit and push your updates.
- Navigate to
- The Use Default Browser option is hidden under a
feature flag on Strata Cloud Manager environments. Reach out to your
customer support representative to enable it. Then follow the steps
below.
- Navigate to
- Select the Use Default Browser option to use
the default browser for the SAML or CAS authentication. Leave the
checkbox unselected to use the embedded browser.
![]()
- Commit and push your updates.
- Navigate to
Post-Upgrade Behavior Logic
When you upgrade from an earlier PAN-OS version to 11.1.0 or later, the system
performs a check across all existing GlobalProtect agent configurations:
- If one or more portal agent configuration had the deprecated Use Default Browser for SAML Authentication option enabled, the new Use Default Browser option is automatically selected after the upgrade. This is true for both Panorama and Strata Cloud Manager environments.
- If all portal agent configurations had the Use Default Browser for SAML Authentication setting disabled, the Use Default Browser option is unchecked for all client authentication configurations after the upgrade.
Example Upgrade Scenario 1 (Default Browser is Enabled)
This scenario shows the result of a mixed configuration after migration.
| PAN-OS version 11.0.x or earlier | After upgrade to PAN-OS version 11.1.x and later |
|---|---|
Portal configuration () is as follows:
Client authentication setting: (): SAML auth - default: os=all With this
configuration, Windows users use the embedded browser and all other
users use the default browser. |
The Use Default Browser option is automatically
enabled in the Client Authentication configuration. All users will now
start using the default browser, overriding the Windows-specific
setting.
|
Example Scenario 2
| PAN-OS version 11.0.x or earlier | After upgrade to PAN-OS version 11.1.x and later |
|---|---|
Portal configuration () is as follows:
Client authentication setting (): SAML auth - default: os=all, use-default-browser=yes
(Default Browser) |
The Use Default Browser option is automatically
enabled in the Client Authentication configuration. All users will now
start using the default browser.
|
In order to retain the pre-upgrade behavior, set the client authentication as
follows:
- SAML auth - windows: os=windows, use-default-browser=no (Embedded Browser)
- SAML auth - macos: os=macos, use-default-browser=yes (Default Browser)
- SAML auth - default: os=all, use-default-browser=yes (Default Browser)
These settings will enable Windows users to use the embedded browser for SAML
authentication and all other OS users to use the default browser.
Downgrade Behavior
If you downgrade the PAN-OS version from 11.1.0 to an earlier version, the
Use Default Browser configuration in the client
authentication setting will be automatically removed. You must revert to using the
portal agent option Use Default Browser for SAML
Authentication.
GlobalProtect gateway authentication configurations are not
affected during the upgrade or downgrade scenarios.