i am desperately trying to configure azure working with pulse client.
we did all the stuff, we find in the implementation guide to fire it up, but it wont work.
well, azure auth work, but...
user starts the pulse client, ie/edge browser opens, the user signs on into azure and auth works.
after authentication is done, we expect usually, the browser closes and the pulse client do the rest of the work to establish/secure a connection.
but the browser is still active and shows the ive.
the next moment, an update starts.
if we do, what the browser states, (activate java, install that and so on...) and we click then on the last 'next', the browser closes. the pulse client is still disconnected.
the userlog on psa tells me, the user is successfully connected via saml.
we changed/tried clients from 5.x to 9.1.x, but it is always the same behaviour.
funny thing is, only pulse client for linux works as expected.
if we change the auth settings from azure to anything else(user/pwd,...), it also works as expected.
same(azure) setting works at other customers on other hardware on other locations side like a charm! -_-
ticket at pulse is already open since weeks, but they are busy af.
maybe someone in the community is able to give a hint.
thank you in advance.
Solved! Go to Solution.
@yutsi Can you please confirm the Pulse Client version activated on the 8.3Rx and 9.1Rx VPN servers by navigating to Users >> Pulse Secure Clients >> Components >> Activated version under manage PDC versions section?
PDC - Pulse Desktop Client.
By default, 8.3Rx VPN server will be having 5.3Rx Pulse Client activated. If that's case, can you please the Pulse Client version (only PDC version not VPN firmware version) to the same version as the 9.1Rx PDC which is being and test the behavior.
So, there should not be any change with the browser scenario i.e. embedded browser will not be used, IE would be opened and see it works. Since you have mentioned about the working setup of 8.3Rx VPN and 9.1Rx client, can you please the version of PDC activated over there as well?
I am suspecting either it's a setup client issue or a misconfiguration the VPN server side. Same setup works in Linux is due to the fact that there is no setup client or IE browser invoke logic present, straight away the authentication would be handled by the Pulse client embedded browser.
I do find it interesting as you have mentioned, 9.1Rx client did not resolve the issue, because by default embedded browser would be used if any 9.1Rx client initiates the connection and identifies if SAML authentication is required.
What is the VPN server version being used? As you have mentioned, Pulse Client opens IE for handling the SAML auth. which is expected for 5.3Rx client, however we can make it open embedded browser when using 9.0Rx with help of pulse secure connection settings which need to configured on the VPN server and pushed to the Pulse Clients to take effect. Again, 9.1Rx client don't need any special settings for handling SAML auth using embedded browser like the 9.0Rx clients do, however it is possible to have the embedded browser setting disabled explicity on the same pulse client connection settings.
Can you please replicate the issue and share the Pulse client logs for review?
Pulse Client Logs:
1. Open Pulse Client.
2. File >> Logs >> Annotate >> "saml"
3. File >> Logs >> Log level >> Detailed.
4. Replicate the issue. Wait till the browser closes and PDC stays disconnected for 1 or 2 mins.
5. File >> Logs >> Save as.
thank you for your answer.
sadly the pulse client 9.1x do never rise its embedded browser for this customer, even the pulse client is set up without preconfig-file.
we setup for testing two different (azure)customer on the same pulse client 9.1x without preconfig and the result was:
*working-customer-connection starts the embedded browser
*non-working-customer-connection starts not the embedded browser.
...non-working-customer is related to this topic.
also a difference in this test was, the working-customer-connection hit against a pcs with firmware version 9.1R4.x.
our customer here in this topic uses for reasons still 8.3R71 as firmware.
i am totally with you and your explanation about the behaviour of pulse client in conjunction with SAML auth, as this is also our experience with other 'saml-customers'
sadly at the moment i find no option to attach files to this post... sure i oversee it...???
thank you in advance.
Please upload it to any filehost site and share the link to me as a PM.
Thank you for explaining it further, I believe you've found the root cause for this issue, as I have seen the embedded browser will not be used when the server is in 8.3Rx i.e. we need to running the server in 9.0Rx or higher in order for the embedded browser to launch.
If possible, can you double check by enabling it through preconfig and try to connect to 8.3Rx server and see if launches? If it does, then we're right about it...but I'm wondering about the embedded browser SAML setting presence on 8.3Rx.. does it have one under pulse client connection set???
well... i will give it a try to get a fitting preconfig from anywhere.
on the other hand... we maintain also a customer's pulse gateway, which is still running firmware 8.3R7.1, the client is 9.1x and the client is managed via preconfig.
the saml provider but is PingID.
it works basically like a charm and also the pulse client fires up no embedded browser...
and as you mentioned, there are no settings on firmware 8.3R7.1 for clientside embedded browsing.
sadly it do not work as we expect.
we configured a simple configuration with embedded browsing enabled:
and we imported it with jamcommand.
but it do not change the behaviour of the pulse client at all.
so it didn't work with 8.3Rx server right? yeah... I think that's how it is designed.
Client would detect the VPN server version and opens the embedded browser when the firmware version is 9.0Rx and above.
As you were saying, there is a VPN server which runs 8.3Rx and Pulse Client 9.1Rx connects without SAML embedded browser and it works as expected i.e. VPN session gets transferred from browser to client?
<<As you were saying, there is a VPN server which runs 8.3Rx and Pulse Client 9.1Rx connects without SAML embedded browser and it works as expected i.e. VPN session gets transferred from browser to client?
meanwhile we also configured our own azure instance... and it is no change in behavior.
meanwhile i searched in the techpubs for firmware 8.3.x... and found nothing about azure as IdP, which leads me to...: shall it be, saml via azure is not supported by this firmware version???
PDC - Pulse Desktop Client.