https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/are-you-using-certificate-profiles-for-azure-saml-authentication/m-p/515549#M1668 <P>Setting up SAML authentication for the first time from a new Azure instance and having multiple issues. I had an idea how it would work, that Azure would provide an internal CA and SAML gateway (IDP) certificate, and then assign us a certificate (w/private key) to use on the firewall. However, we are only getting a self-signed certificate for the IDP. This makes all the certificate loading/profiles on the PA fail (can't manually load a self-signed certificate, have no CA to assign to a profile, etc.).</P> <P>&nbsp;</P> <P>Do people normally run Azure SAML with a CA chain and certificates for endpoints? Or do you normally run with certificate signing and validation to the IDP turned off?</P> <P>&nbsp;</P> <P>The default settings when setting up a SAML server is for "<SPAN>Validate Identity Provider Certificate", but the PA documentation shows the authentication profile as have "none" for "Certificate for signing Requests" and "Certificate Profile", which causes a confusing error on trying to save. There is a brief, easy to miss note in the PA documentation and this previous post that explain it:</SPAN></P> <P><SPAN><A href="https://live.paloaltonetworks.com/t5/general-topics/global-protect-azure-saml-authentication/m-p/309222/highlight/true#M80155" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/general-topics/global-protect-azure-saml-authentication/m-p/309222/highlight/true#M80155</A></SPAN></P> Wed, 21 Sep 2022 03:31:17 GMT Adrian_Jensen 2022-09-21T03:31:17Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/are-you-using-certificate-profiles-for-azure-saml-authentication/m-p/515549#M1668 <P>Setting up SAML authentication for the first time from a new Azure instance and having multiple issues. I had an idea how it would work, that Azure would provide an internal CA and SAML gateway (IDP) certificate, and then assign us a certificate (w/private key) to use on the firewall. However, we are only getting a self-signed certificate for the IDP. This makes all the certificate loading/profiles on the PA fail (can't manually load a self-signed certificate, have no CA to assign to a profile, etc.).</P> <P>&nbsp;</P> <P>Do people normally run Azure SAML with a CA chain and certificates for endpoints? Or do you normally run with certificate signing and validation to the IDP turned off?</P> <P>&nbsp;</P> <P>The default settings when setting up a SAML server is for "<SPAN>Validate Identity Provider Certificate", but the PA documentation shows the authentication profile as have "none" for "Certificate for signing Requests" and "Certificate Profile", which causes a confusing error on trying to save. There is a brief, easy to miss note in the PA documentation and this previous post that explain it:</SPAN></P> <P><SPAN><A href="https://live.paloaltonetworks.com/t5/general-topics/global-protect-azure-saml-authentication/m-p/309222/highlight/true#M80155" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/general-topics/global-protect-azure-saml-authentication/m-p/309222/highlight/true#M80155</A></SPAN></P> Wed, 21 Sep 2022 03:31:17 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/are-you-using-certificate-profiles-for-azure-saml-authentication/m-p/515549#M1668 Adrian_Jensen 2022-09-21T03:31:17Z