By default, the Embedded browser of Global Protect does not support FIDO Authentications, so you must follow the below steps to enable default OS browser-based SAML Authentication.

Procedure

1. Go to Admin UI of Palo Alto > Network > Portal > Choose Your Configured Portal > Agent > Choose Your Agent > App. Next, change the default options as per below.
   
2. Change “Use Single Sign On (Windows) to No, and change “Use Default Browser for SAML Authentication” to Yes. Related KB Article from Palo Alto NGFW to check more related configurations.
   
   https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-new-features/new-features-released-in-gp-app/default-browser-for-saml-authentication