Palo Alto Global Protect embedded browser + Shibboleth
steve.jones at csus.edu
Wed Jun 15 17:55:33 UTC 2022
Last update from my end - Palo Alto is not going to fix the embedded Global Protect browser.
I got a final update on my case and it was to indicate they'd reviewed the issue and the recommendation was to just use the default OS browser option. We're going to test and go that route.
California State University, Sacramento
From: users <users-bounces at shibboleth.net> On Behalf Of Les LaCroix via users
Sent: Thursday, May 26, 2022 11:59 AM
To: Shib Users <users at shibboleth.net>
Cc: Les LaCroix <llacroix at carleton.edu>
Subject: Re: Palo Alto Global Protect embedded browser + Shibboleth
Interesting, and that will probably get us around the GP client problem. The problem is more general, though. I can replicate the behavior in Microsoft 365 desktop app logins: no GP client involved. Our Azure tenant uses our campus SSO for login, which I think is unusual these days. I think most sites either have Azure logins disjoint from Shib, or they have Shib configured to proxy authentication to Azure.
I will definitely forward David's hint to the people who configured our Palo Alto firewall. If it works, it'll be huge. -Les
Les LaCroix '79
Information Technology Services
t: (507) 222-5455
On Thu, May 26, 2022 at 1:34 PM IAM David Bantz via users <mailto:users at shibboleth.net> wrote:
We’re using Palo Alto's Global Protect VPN with the client’s default browser rather than PA’s embedded browser (just now confirmed with them that there is a configuration setting on the GPN side enabling that switch). The primary motivator for them was to be able to use hardware tokens for MFA, but it has the advantages of avoiding the issue being discussed here with the embedded browser, plus of course, establishing a useful SSO session in the default browser, potentially avoiding additional prompt for credentials. Isn’t that a win-win-win - or am I missing something?
David St Pierre Bantz
U Alaska IAM
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to mailto:users-unsubscribe at shibboleth.net
More information about the users