diff --git a/Cargo.lock b/Cargo.lock
index 53aabb5..365ba92 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1469,6 +1469,7 @@ dependencies = [
  "compile-time",
  "env_logger",
  "gpapi",
+ "html-escape",
  "log",
  "regex",
  "serde_json",
@@ -1673,6 +1674,15 @@ version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
 
+[[package]]
+name = "html-escape"
+version = "0.2.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6d1ad449764d627e22bfd7cd5e8868264fc9236e07c752972b4080cd351cb476"
+dependencies = [
+ "utf8-width",
+]
+
 [[package]]
 name = "html5ever"
 version = "0.26.0"
@@ -4484,6 +4494,12 @@ version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "09cc8ee72d2a9becf2f2febe0205bbed8fc6615b7cb429ad062dc7b7ddd036a9"
 
+[[package]]
+name = "utf8-width"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "86bd8d4e895da8537e5315b8254664e6b769c4ff3db18321b297a1e7004392e3"
+
 [[package]]
 name = "utf8parse"
 version = "0.2.1"
diff --git a/apps/gpauth/Cargo.toml b/apps/gpauth/Cargo.toml
index 92f473d..a19a296 100644
--- a/apps/gpauth/Cargo.toml
+++ b/apps/gpauth/Cargo.toml
@@ -18,6 +18,7 @@ serde_json.workspace = true
 tokio.workspace = true
 tokio-util.workspace = true
 tempfile.workspace = true
+html-escape = "0.2.13"
 webkit2gtk = "0.18.2"
 tauri = { workspace = true, features = ["http-all"] }
 compile-time.workspace = true
diff --git a/apps/gpauth/src/auth_window.rs b/apps/gpauth/src/auth_window.rs
index f9d02c2..c3a7675 100644
--- a/apps/gpauth/src/auth_window.rs
+++ b/apps/gpauth/src/auth_window.rs
@@ -366,26 +366,24 @@ fn read_auth_data_from_html(html: &str) -> Result<SamlAuthData, AuthDataParseErr
     return Err(AuthDataParseError::Invalid);
   }
 
-  let auth_data = match SamlAuthData::from_html(html) {
+  match SamlAuthData::from_html(html) {
     Ok(auth_data) => Ok(auth_data),
     Err(err) => {
       if let Some(gpcallback) = extract_gpcallback(html) {
         info!("Found gpcallback from html...");
-        SamlAuthData::from_gpcallback(gpcallback)
+        SamlAuthData::from_gpcallback(&gpcallback)
       } else {
         Err(err)
       }
     }
-  };
-
-  auth_data
+  }
 }
 
-fn extract_gpcallback(html: &str) -> Option<&str> {
+fn extract_gpcallback(html: &str) -> Option<String> {
   let re = Regex::new(r#"globalprotectcallback:[^"]+"#).unwrap();
   re.captures(html)
     .and_then(|captures| captures.get(0))
-    .map(|m| m.as_str())
+    .map(|m| html_escape::decode_html_entities(m.as_str()).to_string())
 }
 
 fn read_auth_data(main_resource: &WebResource, auth_result_tx: mpsc::UnboundedSender<AuthResult>) {
@@ -500,11 +498,23 @@ mod tests {
     "#;
 
     assert_eq!(
-      extract_gpcallback(html),
+      extract_gpcallback(html).as_deref(),
       Some("globalprotectcallback:PGh0bWw+PCEtLSA8c")
     );
   }
 
+  #[test]
+  fn extract_gpcallback_cas() {
+    let html = r#"
+      <meta http-equiv="refresh" content="0; URL=globalprotectcallback:cas-as=1&amp;un=xyz@email.com&amp;token=very_long_string">
+    "#;
+
+    assert_eq!(
+      extract_gpcallback(html).as_deref(),
+      Some("globalprotectcallback:cas-as=1&un=xyz@email.com&token=very_long_string")
+    );
+  }
+
   #[test]
   fn extract_gpcallback_none() {
     let html = r#"
diff --git a/crates/gpapi/src/auth.rs b/crates/gpapi/src/auth.rs
index 2b80a25..cfaf816 100644
--- a/crates/gpapi/src/auth.rs
+++ b/crates/gpapi/src/auth.rs
@@ -66,7 +66,7 @@ impl SamlAuthData {
     let auth_data = data.trim_start_matches("globalprotectcallback:");
 
     if auth_data.starts_with("cas-as") {
-      info!("Got token auth data: {}", auth_data);
+      info!("Got CAS auth data from globalprotectcallback");
 
       let auth_data: SamlAuthData = serde_urlencoded::from_str(auth_data).map_err(|e| {
         warn!("Failed to parse token auth data: {}", e);