Palo Alto GlobalProtect and a on-premises Clientless VPN APP with SSO

Dear community,

I have a question about auth0 in connection with Palo Alto Clientless VPN.
This is my first time with Oauth and auth0, please forgive me if I did something wrong here.

The goal is the following:

  • Login to the palo alto firewall via auth0 (global protect portal)
  • Opening an app (hosted locally behind the firewall) via Clientless VPN
  • The app redirects to auth0 again for SSO → access to app without second login

This is what i did:

  • I have created an application at auth0 (Regular Web Application)
    This is my Clientless VPN app
  • Under “Addons” I then activated the SAML2 WEB APP
    This is the firewall login for the GlobalProtect Portal (where i can open my app via Clientless VPN)
    For the configuration, I followed the instructions for Okta with Palo Alto → Link

Everything seems to work so far, I can log in to my app and the firewall with my created users.
SLO also works via the Palo Alto GlobalProtect Portal page.
However, I am prompted to log in again as soon as I access the app via Clientless VPN.
It seems the SSO cookie is not recognized.

Possibly because of the proxy through the firewall.
But how else do you do that? Unfortunately I’m running out of ideas…
I may have misconfigured or forgotten something.
If anyone has any idea what could be causing this, I would really appreciate your help!

Thank you for reading and for any kind of help!

Best Regards
Colin