CIE (SAML) Authentication using Embedded Web-view
Focus
Focus
GlobalProtect

CIE (SAML) Authentication using Embedded Web-view

Table of Contents

CIE (SAML) Authentication using Embedded Web-view

Embedded Web View With CIE For Force Authentication
Where Can I Use This?What Do I Need?
  • GlobalProtect Subscription
  • PAN-OS 11.2 (or a later PAN-OS version)
  • GlobalProtect app 6.3.0 and later
  • GlobalProtect endpoints running on Windows and macOS
GlobalProtect now supports CIE (SAML) authentication using embedded web-view without using any pre-deployment configuration. The enhancement also supports force authentication and enables end users to authenticate again while reconnecting to the app even when the SAML token remains valid and helps enterprises to achieve security compliance.
Previously, users were not prompted to re-authenticate when they tried to reconnect to the app using the CIE authentication method. You can now configure the GlobalProtect app to prompt the end users to reenter their credentials to authenticate whenever they reconnect the GlobalProtect app using the Cloud Identity Engine (CIE) authentication method.
GlobalProtect app with Connect Before Logon (CBL) installed on Windows endpoints requires the use of the default browser for SAML authentication.
Use the following procedure to configure the app to prompt to re-authenticate while reconnecting to the app:
  1. Configure cloud identity engine with Force authentication option in the authentication profile to authenticate users with the CIE authentication method.
  2. Configure GlobalProtect portal by adding the authentication profile that you created.
  3. Configure GlobalProtect gateway by adding the authentication profile that you created.
  4. (Optional)Configure Authentication override cookie.
  5. Configure the GlobalProtect app to use the embedded browser for CIE authentication and prompt the end user to reauthenticate when the app is reconnected.
    1. Disable the Use Default Browser for SAML Authentication option in the app settings of the portal configuration
      1. Select NetworkGlobalProtectPortals<portal-config>Agent<agent-config>App.
      2. In the App Configurations area, set Use Default Browser for SAML Authentication option to No to enable the GlobalProtect app to open the embedded browser for CIE authentication. After you set the option as No and when the GlobalProtect app tries to reconnect, the app prompts the end users to reauthenticate using CIE as the authentication method.
    2. Disable the Use default browser for embedded browser option in the Client Authentication settings of the portal configuration.
      1. Select NetworkGlobalProtectPortals<portal-config>Authentication<client-authentication-config> .
      2. Disable (clear) the Use default browser option in the Client Authentication window in order to enable the GlobalProtect app to open the embedded browser for CIE authentication.
    3. Click OK.
    4. Commit the configuration.
  6. Verify GlobalProtect Logs and System Logs on the firewall and PanGPS logs on the endpoints to ensure that the reauthentication happens when end users use the CIE authentication method and try to reconnect to the app.