GlobalProtect 6.2.3 and Blank Authentication Window for Connect Before Logon and SAML

FYI…just went through this with TAC. We’re doing SAML authentication with AzureAD/EntraID for our GlobalProtect Portal and Gateway. We use the same authentication profile for both portal and gateway. We recently updated to GP 6.2.3 and ran into authentication issue with Connect Before Logon (CBL). It would go through the portal authentication just fine, but the gateway authentication was stuck at a blank embedded browser window. The workaround is:

1. Open Registry Editor as administrator

2. Go to: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\CBL

3. Inside of CBL, right click → New → String Value

3.a. The Name will be: TrustedIdpDomains

3.b. The Value will be: [FQDN of your gateway]

4. Restart the computer.

Hope somebody finds this helpful

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNA4CAM

I just ran into a fun one revolving around this. There appears to be a character limit of 254 for the ‘TrustedIdpDomains’ registry value. So if you’re using Prisma Access GP and have multiple gateways (which you need to add them in order for this to work), you’ll easily run into the character limit. The “TrustedIdpDomains” can accept wildcards, but you can’t use an *. If you need to use a wildcard for the domain, just use ‘.domainname.com’ instead of ‘*.domainname.com’.

edited to clarify where the character limit appears to be

Several of our users have experienced the blank SAML authentication page, but not using Connect Before Logon. In our case, our current workaround until we have a permanent fix is to simply resize the Authentication Window by dragging one of the corners, which causes the Authentication Window to render correctly.

I have a different issue on 10.1 → 10.2 upgrades where the gateway doesn’t authorize. Might try this. It complains about a empty password with certificate auth + saml entra id. Weird

6.2.3 is known to be problematic for SAML especially for azure saml. It was recommended to skip that release entirely and move to 6.2.4 where the issue was fixed

If you have a bunch of gateways with Prisma Access, do you need to add every single one? Can it be a wildcard?

we had to do the same thing for the same issue!

We have the same issue with OKTA and the embedded Microsoft Edge WebView2 window being either not rendered properly and un-usable.

Quick fix was to un-install and re-install GP… but still same version 6.3 … we’re still waiting for the new version with the fix for CVE-2024-5915

What is we dont have the CBL reg key? Do we create it?

Absolute lifesaver! I was sick of having to restart my computer every morning to get the damn thing to work.

The CBL issue was still happening on 6.2.4, and it wasn’t the preferred release when I upgraded GP at our site. Other than the CBL issue, 6.2.3 has been fine so far

I’m not sure. Please test and let us know!

IDK…maybe GP client has never connected to a SAML GP portal or Gateway before? I’d open a case with TAC.

It has and it is working, but for a few users, they are seeing a blank MFA window, so they can’t see the number/PIN to enter into their Authenticator app.

did you find how to fix this?

Nope, still an issue with several users.