Archive
GlobalProtect client on iPhone or iPad unable to connect when using SAML authentication

GlobalProtect client on iPhone or iPad unable to connect when using SAML authentication

2024-11-22 GlobalProtect client on iPhone or iPad unable to connect when using SAML authentication 54984 Created On 08/23/19 22:55 PM - Last Modi

Related articles

House Party Walkthrough Guide Steam Community :: Guide :: Ways to boost performance Install OpenVPN Connect on Chromebook

GlobalProtect client on iPhone or iPad unable to connect when using SAML authentication




54984

Created On 08/23/19 22:55 PM – Last Modified 04/20/24 02:21 AM

Symptom

Global Protect agent on iOS iPad or iPhone configured with Pre-logon or User-logon using SAML authentication will briefly connect and then get disconnected with the error message: Connection Failed. The internet connection appears to be offline.

 

Environment

  • PAN – os 8.0 and above .
  • GlobalProtect Agent 5.0 and above on iOS iPad or iPhone .
  • GlobalProtect is configured configure with Always – On   connect method .
  • SAML configured for client authentication.

 

Cause

  • GlobalProtect iOS application only supports SAML authentication for on-demand connect method (Manual user-initiated connection) due to Apple VPN framework limitation.
  • When Always-on mode is deployed to iOS devices, the Apple device blocks the internet connection and since SAML authentication requires internet, it will not work.
  • When using a vpn profile in conjunction with MDM , the ondemandenable option is behaves behave the same as the GP ” Always – on ” mode .   Thus , SAML authentication is not support on iOS device when a VPN profile is used withonDemandEnabled = 1.  
  • refer to Setup SAML Authentication    for SAML setup

Resolution

To allow iOS iPhone or iPad to work with Global Protect, we need to have On-demand as the connect method. The best way to accomplish the same is to configure a new agent and move it to the top of the list as shown below:

 

  1. GUI :   Network >GlobalProtect > Portal > (selectthe portal) > Agent > Add > User/User Group > Add > selectiOS in the OS tab instead of Any.

 GlobalProtect client on iPhone or iPad unable to connect when using SAML authentication

 

  1. GUI : Network >GlobalProtect > Portal > (selectthe portal) > Agent > (selectthe new agent) > App > App Configuration > Select On-demand as Connect Method.

 

  1. Fill in other information as appropriate.
  2. GUI : Network >GlobalProtect > Portal > (selectthe portal) > Agent > (selectthe new agent) >  Use Move Up for the new agent is be to be the first one in the list .
  3. committhe changes.

additional Information

With the above configuration, the new Agent will take care of iOS Pad and iPhone clients. All other clients will use the second Agent in the list and are not affected.