1 min read

Install Palo Alto GlobalProtect to use default browser for SAML

There is a 'funny' situation when installing Palo Alto GlobalProtect client for RA VPN. If you are using SAML to authenticate your users, with the default installation it will use builtin browser to open SAML IdP.

Unfortunately, that doesn't work - for some reason, I'm still reading conflicting things about this.

The problem is that client picks up the configuration from the GP portal, but if it can't connect, then it can't pull the config either, right?

The only solution to this that I've found was to instruct installer to install GP application with direct instruction to disable the built-in browser and use the system default browser. It's quite easy to do:

msiexec.exe /i GlobalProtect64.msi DEFAULTBROWSER=YES

Of course, you need to position yourself in the directory where you downloaded the installer, run the command, and after that, GP will use the default browser to open SAML sessions with your IdP.