Hi boon, so much thanks for the reply this is brilliant and thanks for letting me know… this might help us… but can I check?
Our issue is that we have a palo ssl clientless vpn port (lets call is portal.blah.com) and behind it is an internal application lets call it guco.blah.com.
Both systems use Microsoft saml, but with their own Entra Microsoft SAML applications (not sure that makes any difference)
The users would normally already have a Microsoft saml cookie (from the initial windows and MS login) and can then sso into the vpn portal… the issue is then logging into the application behind the ssl vpn (guco.blah.com) they get thrown another prompt as the url is then portal.blah.com/https/guco.blah.com… backs up your reason about no cookie for that domain.
So am I adding the guco.blah.com to the clientless rewrite exclude domain list? (we didn’t want to expose the guco.blah.com to the internet directly)?.. or is it the micrsoft sso SAML domain we should be adding into the re-write list!?