Hey,
Yes, I found an answer.
Palo Alto support said it would only be possible with multiple logins, which is not true.
It’s exactly as I suspected.
The problem is the domain for which the cookie is stored in the browser.
Here as an example with auth0:
When you log in for the first time you will be redirected directly to the auth0 login page:
https://your-tenant-domain.auth0.com → domain auth0.com
But the second time you log in, the redirection already takes place through the firewall’s proxy https://your-firewall-ip/https/your-tenant-domain.auth0.com → domain your-firewall-ip
which is why the cookie for this domain has to be saved again and the other one cannot be recognized.
The solution is very simple:
Add the domain *.auth0.com to the Clientless-VPN “Rewrite Exclude Domain List” so that the second redirection takes place directly.
(your-tenant-domain.auth0.com should also work.)