KB40225 - Pulse Desktop client does not automatically connect after SAML authentication on Mac OS X and MacOS

This article describes an issue where the Pulse Desktop client does not automatically connect after SAML authentication on Mac OS X 10.11.5 and up.

The SAML authentication process with Pulse desktop client on Mac OS X and MacOS works as follows:

1. User launches the Pulse client and clicks "Connect" to login.
2. User types their SAML credentials in the Pulse client UI and clicks "Connect".
3. A Safari browser is automatically launched by the Pulse client to send the SAML credentials and consume the assertion that is sent by the IdP.
4. Once SAML auth is complete the Safari browser closes automatically and the connection in the Pulse client will be updated to "Conne

Instead of working as specified above the following behavior is observed:

1. Step 4. is never completed and the Safari browser remains open on the desktop. 
2. Authentication to SAML is successful but Safari does not automatically close.
3. Upon checking the Pulse client the connection has not been completed yet.  
4. From the bookmark page displayed in the Safari browser, the user has to click the "Start" button next to the Pulse client bookmark.
5. The connection in the Pulse client will then be updated to "Connected".  
6. The user can then manually close the Safari browser.

For SAML authentication with the Pulse desktop client on Mac OS X and MacOS, an Apple script is used to launch two URLs.  The first launches a browser and goes to the login page and sends the credentials.  The second is to start the Pulse connection and close the browser.  It is the second script that is not working.

This issue affects the following Pulse and Mac OS X versions: 

• Mac OS X 10.11.5 and up.
• Pulse Desktop client 5.1R9 and below.
• Pulse Desktop client 5.2R6 and below.

This issue is resolved in the following Pulse releases:

• Pulse 5.1R10 and up
• Pulse 5.2R7 and up

The fix is specific to the Pulse client so only the client needs to be updated--not the PCS device software.

Important Note:  For Mac OS X 10.11.5 and up, refer to KB43719 - How to enable Allow JavaScript from Apple Events so that Pulse will run on Mac OS X 10.11.5 and up to insure that the Pulse desktop client can run on these Mac versions.

Additional Note:  Full support of SAML authentication via Pulse desktop client will be available in PCS OS 9.0R1 which is released.  Starting with PCS OS 9.0 and Pulse Client 9.0, SAML authentication takes place by way of an embedded browser in the Pulse client, which allows the authentication process to occur within Pulse entirely, rather than launching a Safari browser. So, we need not follow KB43719 when running 9.0R1 PCS and 9.0R1 pulse Client.