https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-valid-certificate-when-using-azure-saml/m-p/445066#M2097 <P>In logging I can see that&nbsp; SAML authentication via Azure is succeeding. However my GP client is</P><P>failing to successfully connect I believe for some deficiency in the certificate. I have a self signed</P><P>certificate in a cert profile at the portal and gateway for this GP On Demand setup. Authentication</P><P>is set to require certificate *and* user ID/password. (Soon this will be MFA. But first things first.)&nbsp;</P><P>&nbsp;</P><P>Can a self signed certificate serve the need in this case? What properties would need to be</P><P>in such a self signed certificate to get GP connect? Thank you.</P><P>&nbsp;</P> Tue, 02 Nov 2021 20:23:36 GMT MichaelMedwid 2021-11-02T20:23:36Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-valid-certificate-when-using-azure-saml/m-p/445066#M2097 <P>In logging I can see that&nbsp; SAML authentication via Azure is succeeding. However my GP client is</P><P>failing to successfully connect I believe for some deficiency in the certificate. I have a self signed</P><P>certificate in a cert profile at the portal and gateway for this GP On Demand setup. Authentication</P><P>is set to require certificate *and* user ID/password. (Soon this will be MFA. But first things first.)&nbsp;</P><P>&nbsp;</P><P>Can a self signed certificate serve the need in this case? What properties would need to be</P><P>in such a self signed certificate to get GP connect? Thank you.</P><P>&nbsp;</P> Tue, 02 Nov 2021 20:23:36 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-valid-certificate-when-using-azure-saml/m-p/445066#M2097 MichaelMedwid 2021-11-02T20:23:36Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-valid-certificate-when-using-azure-saml/m-p/446049#M2116 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/132469">@MichaelMedwid</a>,</P> <P>First, I would never recommend using a self-signed certificate with GlobalProtect. Either get the certificate issued by your internal CA or have it signed by a public trusted CA. Second, taking away SAML authentication for a second is this an existing working configuration or something you're just trying to get setup?&nbsp;</P> Sun, 07 Nov 2021 15:18:37 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-valid-certificate-when-using-azure-saml/m-p/446049#M2116 BPry 2021-11-07T15:18:37Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-valid-certificate-when-using-azure-saml/m-p/448304#M2157 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/132469">@MichaelMedwid</a>&nbsp;</P><P>As BPry mentioned, you should get a CA certificate for the GP portal and gateways.<BR />In addition to that, you need to export the Microsoft Azure Federated SSO Certificate from the Azure Portal and import it to the firewall (Device -&gt; Certificate Management -&gt; Certificates).</P><P>&nbsp;</P><P>The following KB shows how to set up Azure SAML authentication with GlobalProtect, but this export/import certificate step is missing.</P><P><STRONG>How to setup Azure SAML authentication with GlobalProtect</STRONG><BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE</A></P><P>&nbsp;</P><P>You may refer to this KB for the SAML IdP.<BR /><STRONG>Identity Provider Configuration for SAML</STRONG><BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXPCA2" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXPCA2</A></P><P>&nbsp;</P><P>Hope this helps!</P> Thu, 18 Nov 2021 00:58:48 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-valid-certificate-when-using-azure-saml/m-p/448304#M2157 AnalysisMan 2021-11-18T00:58:48Z