Palo Alto Global Protect embedded browser + Shibboleth

[Jones, Steve]

Last update from my end - Palo Alto is not going to fix the embedded Global Protect browser.

I got a final update on my case and it was to indicate they'd reviewed the issue and the recommendation was to just use the default OS browser option. We're going to test and go that route.

---
Steve Jones
California State University, Sacramento

From: users <users-bounces at shibboleth.net> On Behalf Of Les LaCroix via users
Sent: Thursday, May 26, 2022 11:59 AM
To: Shib Users <users at shibboleth.net>
Cc: Les LaCroix <llacroix at carleton.edu>
Subject: Re: Palo Alto Global Protect embedded browser + Shibboleth

Interesting, and that will probably get us around the GP client problem.  The problem is more general, though.  I can replicate the behavior in Microsoft 365 desktop app logins: no GP client involved.  Our Azure tenant uses our campus SSO for login, which I think is unusual these days.  I think most sites either have Azure logins disjoint from Shib, or they have Shib configured to proxy authentication to Azure.

I know that the embedded browser has some serious javascript shortcomings. When we first rolled out SSO in the Global Protect client, it worked everywhere except with some Windows users, who got a blank browser window and couldn't proceed.  The root cause was with the javascript we used to put the keyboard focus into the Username field.  It called a method on the document class that the browser didn't implement, even though that method had been implemented virtually everywhere since 2011.  It took a long time to figure out what was broken, but then we were able to code around it.

I expect something similar is going on now.  There is likely something in the javascript that is triggering a particular interaction with the client software when you press "enter" that doesn't happen when you click "sign in".  The javascript is handled well on virtually all platforms, except in the Windows embedded browser libraries.  And the interaction it triggers causes a change in the client behavior between the current and previous releases of the GP client.

I will definitely forward David's hint to the people who configured our Palo Alto firewall.  If it works, it'll be huge.  -Les



Les LaCroix '79
Strategic Technologist
Information Technology Services
t: (507) 222-5455


On Thu, May 26, 2022 at 1:34 PM IAM David Bantz via users <mailto:users at shibboleth.net> wrote:
We’re using Palo Alto's Global Protect VPN with the client’s default browser rather than PA’s embedded browser (just now confirmed with them that there is a configuration setting on the GPN side enabling that switch). The primary motivator for them was to be able to use hardware tokens for MFA, but it has the advantages of avoiding the issue being discussed here with the embedded browser, plus of course, establishing a useful SSO session in the default browser, potentially avoiding additional prompt for credentials. Isn’t that a win-win-win - or am I missing something?

David St Pierre Bantz
U Alaska IAM

-- 
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to mailto:users-unsubscribe at shibboleth.net