Accessing GTm Extranet from a workstation connected to La Poste’s internal network does not follow the same path as an external connection. Since the implementation of the portal marh.legroupelaposte.fr and the switch to a single identity provider (IdP), several agents have encountered issues such as infinite redirections or silent authentication failures. Understanding the SSO federation mechanism and the surrounding network settings allows for quick identification of the source of the blockage.
SSO Federation and Single IdP: What Changes for Internal Network Connection
The group authentication scheme for HR applications, including MaBoxRH and GTm Extranet, now relies on a identity federation via a single IdP. Specifically, any connection attempt from maboxrh.laposte.fr or marh.legroupelaposte.fr triggers a redirection to a URL like authentification.groupe.net.extra.laposte.fr.
See also : How to Easily Find the Best Accommodation for Your Next Trips
On the internal network, this redirection goes through the corporate proxy. If the browser or workstation is not configured to allow this chain of redirections, the authentication page never loads. The typical symptom: a blank screen or a certificate error, without an explicit message.
Successfully authenticating to the GTM Extranet La Poste from the internal network requires checking that the IdP domain is included in the local proxy exceptions. Agents using an unlisted browser (such as Firefox installed manually) encounter this problem more frequently than those who stick to the browser deployed by the IT department.
You may also like : How to Successfully Extend the Classic Scellier Scheme After 9 Years: Tips and Key Steps
| Connection Scenario | IdP Redirection | Current Result |
|---|---|---|
| Internal network, IT department browser, configured proxy | Automatic via SSO | Direct access without re-entering credentials |
| Internal network, unlisted browser | Blocked by proxy | Blank page or certificate error |
| External network (home, 4G) | Via marh.legroupelaposte.fr | Enter HR ID + password + 2FA |
| Internal network, VPN active simultaneously | Routing conflict | Infinite redirection loop |
The case of the active VPN in parallel deserves attention. Some agents activate the VPN reflexively while they are already on the corporate network. The routing between the VPN tunnel and the local proxy conflicts, preventing the correct resolution of the IdP URL.
Application-Based Two-Factor Authentication: End of SMS and Consequences for GTm Extranet
Since November 2025, La Poste has initiated a gradual migration from SMS 2FA to application-based 2FA (such as TOTP or push notification). For agents accessing GTm Extranet from the internal network with an SMS code as the second factor, this change has a direct impact: the SMS no longer arrives, and the interface does not provide any clear error message.
From the internal network, two-factor authentication is not always triggered by SSO. However, as soon as the session expires or the agent changes their physical workstation, the system requests a 2FA validation again. Without a configured application, the connection fails at this stage.
Configure Application 2FA Before You Need It
A common mistake is discovering the requirement for application-based 2FA at the moment of attempting to connect. Configuration should be done in advance, ideally from an external access point where the guided process is clearer.
- Install a compatible TOTP application (the one recommended by the IT department or a standard application like Google Authenticator, Microsoft Authenticator) on your personal or work phone
- Connect for the first time from outside the network via marh.legroupelaposte.fr to activate the association between the HR account and the application
- Ensure that the generated TOTP code works before attempting to connect from the internal network, as repeated failures may lead to a temporary account lockout
Once the application is associated, connecting from the internal network becomes smooth again: SSO takes over for most sessions, and application-based 2FA only intervenes during occasional re-authentications.
MaBoxRH Virtual Keyboard and HR ID: Two Distinct Sources of Blockage
The MaBoxRH portal uses a virtual keyboard for password entry. This security mechanism, designed to counter keyloggers, poses specific problems on the internal network. Workstations equipped with endpoint security software sometimes block the JavaScript necessary for rendering the keyboard. The result: an empty password field, no clickable keyboard, and no way to enter anything.
The solution involves checking the browser’s security settings. Scripts from the domain maboxrh.laposte.fr must be allowed. On some workstations, the domain must be manually added to the content filter’s whitelist.
HR ID: Neither Email Nor Payroll Number
The other source of confusion concerns the ID itself. The login field expects the HR ID specific to the group, not the professional email address or the payroll number used on pay slips. These three pieces of information are different. An agent entering their email receives a rejection without explanation, often leading them to initiate an unnecessary password reset.
- The HR ID is found on correspondence from the HR department and on the first access document provided upon hiring
- It can be retrieved by contacting support at [email protected]
- The local HR manager also has this information
Resolving Redirection Loops on the La Poste Network
Redirection loops are the most common and least documented problem. They occur when the browser oscillates between the MaBoxRH portal and the IdP without ever completing the authentication. Two main causes dominate.
The first: a corrupted cookie cache related to a previous session. SSO relies on session cookies set by the IdP. If a previous session was abruptly interrupted (browser closure during authentication, network cut), the residual cookie prevents the new authentication from initiating correctly. Deleting cookies from the domain authentification.groupe.net.extra.laposte.fr resolves the majority of these cases.
The second: a clock inconsistency between the workstation and the authentication server. The SAML protocol used by the identity federation validates a timestamp in the request. A discrepancy of just a few minutes is enough to cause a silent rejection. On workstations managed by the IT department, NTP synchronization is usually automatic, but some older workstations lose their synchronization after prolonged sleep.
Clearing the cache, restarting the browser, and checking the system time are three simple actions that resolve the vast majority of SSO connection failures from the internal network without requiring support intervention.