karienverster
commented
3 months ago I'm not sure if anyone found an answer to this, but we recently ran into something that appeared similar to your issue above. Except, we use SAML with Azure.
After we did some expensive testing, we found the issue was due to some security change within Microsoft Azure. Our guest accounts were not working, however our internal (and any other official MS 365 accounts) were working just fine. If an account was not using an official MS tenant and was just, say a Google account or a live.com account, it would result in a blank GP screen and would not progress to authentication. There wouldn't even be any logs on the GP client during this freeze either.
The eventualy solve would be to configure the SAML authentication on the GP Agent to use the default browser, and not use the imbedded browser (which is IE anyway, so technically not supported on devices anymore).
We even contacted TAC regarding this, and they also recommended using the embedded browser instead, after not being able to solve the issue.
This opened up all sorts of issues again, as now we need to make sure the users are either:
1 - logged in with their correct account for GP access
2 - and have the browser active on screen with the correct account logged in during the GP client connection process
If a user happened to have another browser active while trying to connect to GP, and while logged in with a different account that they needed for GP, then it would try to use an incorrect account and the process would fail . There is no choice given to the user to pick another account.
It seems the idea is to make the process seemless to the user, however if they have more than 1 account on their browser, this causes issues.
Either way, try the default Browser setting in the GP Agent tab. This might work for your situation too.
authentik-automation[bot]
AngelFonseca88
J5andi5n0t
Hi ,
I have enabled SAML2.0 authentication between Palo Alto global protect & Authentik.
It is workign perfectly fine on any browser (Firebox,MS edge & Chrome ... etc )
But when i use Global protect client app on windows , it is not working. it is saying "You are redirected to Embedded browser to authenticate and connect" and not getting the login page of Authentik in Global protect popup
I have attached all the screenshots.
So i suspect since it is a Embedded browser, it is failing. Kindly help to resolve this issue soon.
Docker container logs : {"auth_via": "secret_key", "event": "/api/v3/crypto/certificatekeypairs/7f3af5bd-48a4-44e5-a1a4-4628f8a34349/", "host": "0.0.0.0:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 20, "remote": "127.0.0.1", "request_id": "6e3227ed395e4c84bb63ac86baebbe72", "runtime": 81, "scheme": "http", "status": 200, "timestamp": "2024-02-02T15:59:28.823400", "user": "ak-outpost-8594f884db8c4a8c83fe9cf19db58907", "user_agent": "goauthentik.io/outpost/2023.10.7"} {"event":"Fingerprint hasn't changed, not fetching cert","level":"info","logger":"authentik.outpost.cryptostore","timestamp":"2024-02-02T21:29:28+05:30","uuid":"7f3af5bd-48a4-44e5-a1a4-4628f8a34349"} {"auth_via": "secret_key", "event": "/api/v3/crypto/certificatekeypairs/7f3af5bd-48a4-44e5-a1a4-4628f8a34349/", "host": "0.0.0.0:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 20, "remote": "127.0.0.1", "request_id": "38e40b31caaf4a969ae9fc9292e5343e", "runtime": 82, "scheme": "http", "status": 200, "timestamp": "2024-02-02T15:59:29.132818", "user": "ak-outpost-8594f884db8c4a8c83fe9cf19db58907", "user_agent": "goauthentik.io/outpost/2023.10.7"} {"event":"Fingerprint hasn't changed, not fetching cert","level":"info","logger":"authentik.outpost.cryptostore","timestamp":"2024-02-02T21:29:29+05:30","uuid":"7f3af5bd-48a4-44e5-a1a4-4628f8a34349"} {"auth_via": "unauthenticated", "event": "/application/saml/247-san-gp/sso/binding/redirect/?SAMLRequest=lVJBTsMwEPxK5Hvq4DhKazWRQnugUhFREzhwQa7rNhaJbbwO8HyStIhyQULai7WzM7PjXQLvWsuK3jd6J996CT747FoNbGpkqHeaGQ4KmOadBOYFq4r7LSOziFlnvBGmRUEBIJ1XRq%2BMhr6TrpLuXQn5uNtmqPHeAsPYNvbj2Ajj7IzQNFRazITpGKUxHilJhKsSF6sKBevBhtJ8JPwZBzAhH3xK7dXrNQPm1rZKTHA82sZjE7gOT3acwnulD0qfsJMH5aTwGAWbdYZeYpFKuU%2FnQsbzeEG5EAlNor1ICT3SBT8OMIBebjR4rn2GSERoGJGh6puEJQtG5s8oKC8p3J5V%2Fo7sYgXYXV2XYflQ1Sh4kg6mTQcAypfjBmwSdldf8Tct%2F84f5f9Je4mvxPLz6%2Fcx5F8%3D&RelayState=KV0AANeXjWU5OTQzMTFiMC1mNTdiLTQ4M2EtOGJjMi1jMTZkMDgxMzEzODYw", "host": "sso-authentik.247-inc.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 20, "remote": "10.224.132.146", "request_id": "64e957765fff40e4bac5b93aaf9abb78", "runtime": 19, "scheme": "https", "status": 302, "timestamp": "2024-02-02T15:59:29.188295", "user": "", "user_agent": "PAN GlobalProtect/6.2.2-259 (Microsoft Windows 10 Pro , 64-bit) Mozilla/5.0 (Windows NT 6.2; Win64; x64; Trident/7.0; rv:11.0) like Gecko"} {"auth_via": "unauthenticated", "event": "/flows/-/default/authentication/?next=/application/saml/247-san-gp/sso/binding/redirect/%3FSAMLRequest%3DlVJBTsMwEPxK5Hvq4DhKazWRQnugUhFREzhwQa7rNhaJbbwO8HyStIhyQULai7WzM7PjXQLvWsuK3jd6J996CT747FoNbGpkqHeaGQ4KmOadBOYFq4r7LSOziFlnvBGmRUEBIJ1XRq%252BMhr6TrpLuXQn5uNtmqPHeAsPYNvbj2Ajj7IzQNFRazITpGKUxHilJhKsSF6sKBevBhtJ8JPwZBzAhH3xK7dXrNQPm1rZKTHA82sZjE7gOT3acwnulD0qfsJMH5aTwGAWbdYZeYpFKuU%252FnQsbzeEG5EAlNor1ICT3SBT8OMIBebjR4rn2GSERoGJGh6puEJQtG5s8oKC8p3J5V%252Fo7sYgXYXV2XYflQ1Sh4kg6mTQcAypfjBmwSdldf8Tct%252F84f5f9Je4mvxPLz6%252Fcx5F8%253D%26RelayState%3DKV0AANeXjWU5OTQzMTFiMC1mNTdiLTQ4M2EtOGJjMi1jMTZkMDgxMzEzODYw", "host": "sso-authentik.247-inc.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 20, "remote": "10.224.132.146", "request_id": "9c8246ae5862420ba0c8c412ac80595a", "runtime": 24, "scheme": "https", "status": 302, "timestamp": "2024-02-02T15:59:29.253755", "user": "", "user_agent": "PAN GlobalProtect/6.2.2-259 (Microsoft Windows 10 Pro , 64-bit) Mozilla/5.0 (Windows NT 6.2; Win64; x64; Trident/7.0; rv:11.0) like Gecko"} {"auth_via": "unauthenticated", "event": "/if/flow/default-authentication-flow/?next=%2Fapplication%2Fsaml%2F247-san-gp%2Fsso%2Fbinding%2Fredirect%2F%3FSAMLRequest%3DlVJBTsMwEPxK5Hvq4DhKazWRQnugUhFREzhwQa7rNhaJbbwO8HyStIhyQULai7WzM7PjXQLvWsuK3jd6J996CT747FoNbGpkqHeaGQ4KmOadBOYFq4r7LSOziFlnvBGmRUEBIJ1XRq%252BMhr6TrpLuXQn5uNtmqPHeAsPYNvbj2Ajj7IzQNFRazITpGKUxHilJhKsSF6sKBevBhtJ8JPwZBzAhH3xK7dXrNQPm1rZKTHA82sZjE7gOT3acwnulD0qfsJMH5aTwGAWbdYZeYpFKuU%252FnQsbzeEG5EAlNor1ICT3SBT8OMIBebjR4rn2GSERoGJGh6puEJQtG5s8oKC8p3J5V%252Fo7sYgXYXV2XYflQ1Sh4kg6mTQcAypfjBmwSdldf8Tct%252F84f5f9Je4mvxPLz6%252Fcx5F8%253D%26RelayState%3DKV0AANeXjWU5OTQzMTFiMC1mNTdiLTQ4M2EtOGJjMi1jMTZkMDgxMzEzODYw", "host": "sso-authentik.247-inc.com", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 20, "remote": "10.224.132.146", "request_id": "143b27b74b424829ac2e7b6916b971c3", "runtime": 24, "scheme": "https", "status": 200, "timestamp": "2024-02-02T15:59:29.314179", "user": "", "user_agent": "PAN GlobalProtect/6.2.2-259 (Microsoft Windows 10 Pro , 64-bit) Mozilla/5.0 (Windows NT 6.2; Win64; x64; Trident/7.0; rv:11.0) like Gecko"} {"auth_via": "unauthenticated", "event": "/-/health/live/", "host": "localhost:8000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 20, "remote": "255.255.255.255", "request_id": "2e9a9f25554e454d9449ceffdd327be0", "runtime": 11, "scheme": "http", "status": 204, "timestamp": "2024-02-02T15:59:48.851913", "user": "", "user_agent": "goauthentik.io/router/healthcheck"} {"event":"updating tenant certificates","level":"info","logger":"authentik.router.tenant_tls","timestamp":"2024-02-02T21:29:49+05:30"} {"auth_via": "secret_key", "event": "/api/v3/core/tenants/", "host": "0.0.0.0:9000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 20, "remote": "127.0.0.1", "request_id": "b3734698e94749fba69b689ead0928bc", "runtime": 32, "scheme": "http", "status": 200, "timestamp": "2024-02-02T15:59:49.478550", "user": "ak-outpost-8594f884db8c4a8c83fe9cf19db58907", "user_agent": "goauthentik.io/outpost/2023.10.7"}