<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D5KZ00001BZDKz0APOkta Classic EngineMulti-Factor AuthenticationAnswered2025-08-18T15:47:06.000Z2025-07-28T11:56:44.000Z2025-08-18T15:47:06.000Z

User17537036255375776738 (Customer) asked a question.

July 28, 2025 at 11:56 AM
SAML Authentication: User logs in to GlobalProtect with different Okta account than the one entered in the VPN client

Hi,

we are using Okta as the SAML IdP for GlobalProtect VPN (Palo Alto Networks firewall).

We have a situation where the same users exist in both GlobalProtect and Okta (e.g., user Antonio and user Paolo).

When the user opens the GlobalProtect VPN client and enters the username "Antonio", the SAML authentication flow is triggered and redirected to Okta as expected.

However, if the user authenticates on the Okta page with Paolo's credentials (email, password, and OTP), the SAML assertion is accepted, and the VPN connection is established under Paolo’s identity, even though "Antonio" was originally typed into the VPN client.

  • 2 answers
  • 351 views

  • HarryL.05482 (Anthropic Identity)

    The IdP redirect does not maintain the user identification from the VPN client. Essentially the VPN client is just identifying the user, and is redirecting to Okta for authentication. Okta also needs to identify the user.

     

    This is typical for all federation use cases.

    Selected as Best

  • HarryL.05482 (Anthropic Identity)

    The IdP redirect does not maintain the user identification from the VPN client. Essentially the VPN client is just identifying the user, and is redirecting to Okta for authentication. Okta also needs to identify the user.

     

    This is typical for all federation use cases.

    Selected as Best

  • BrandonB.06003 (Customer)

    The initial username entered on the vpn side just triggers IDP discovery so Palo alto knows which IDP to authenticate aginst. The user context isnt passed. anything typed into okta will be what is accepted and passed back to firewall.

This question is closed.
Loading
SAML Authentication: User logs in to GlobalProtect with different Okta account than the one entered in the VPN client