topic Re: Palo Alto with Azure SAML issue in GlobalProtect Discussions

Palo Alto with Azure SAML issue

Kevin-Ng — Tue, 12 Mar 2024 08:32:07 GMT

Hi all, I have configured all the required basic SAML configurations in Azure, and assigned a few test AD users to GlobalProtect enterprise application. Also configured those required settings on the Palo Alto end where I import the XML cert, create an authentication profile, and assign the profile to both my gateway and portal. You can refer to my screenshots of those configurations.

what issue i faced, once i redirect to the Microsoft portal login, and after login in, i got the below error message,

Anyone can help me find the root cause of this?

Below are my configuration:

Re: Palo Alto with Azure SAML issue

Anderson_D — Tue, 12 Mar 2024 15:22:59 GMT

Hi Kevin,

Have you checked the authd.log? I would say this could be related to problems with the SAML request/response.

less mp-log authd.log

Re: Palo Alto with Azure SAML issue

Kevin-Ng — Fri, 22 Mar 2024 12:45:32 GMT

Hi, this is the error i getting . not sure what is it about? do you know?

Re: Palo Alto with Azure SAML issue

Anderson_D — Fri, 22 Mar 2024 13:05:17 GMT

It seems your time is not synchronized between the firewall and the IdP (Azure), thus the firewall will reject the SAML response.

This is also explained here:

Authentication error due to timestamp in SAML message from IdP - Knowledge Base - Palo Alto Networks

Re: Palo Alto with Azure SAML issue

Kevin-Ng — Sat, 23 Mar 2024 07:46:22 GMT

My Palo alto have already configured with sg.pool.ntp.org. But do you happen to know where i can configure NTP/timezone for my Azure IdP?

Re: Palo Alto with Azure SAML issue

Anderson_D — Mon, 25 Mar 2024 21:50:42 GMT

I don't know, I've been configuring Azure SAML for multiple regions in different timezones without issues.

Is the firewall configured in the correct timezone besides the NTP server (Device > Setup > Management > Time Zone)? I'm asking this because all SAML messages are in UTC format, maybe your problem is the firewall not being in the correct time zone and the converted time to UTC is not matching Azure's.

Re: Palo Alto with Azure SAML issue

Kevin-Ng — Mon, 08 Apr 2024 10:09:02 GMT

thanks @Anderson_D ! i managed to resolve this error.

Now I have a new error where I now able to login from the browser. But when I tried to log in from the GlobalProtect App itself. i got the error from the attached image "121". Do you know what is the setting i miss out?

Re: Palo Alto with Azure SAML issue

Anderson_D — Mon, 08 Apr 2024 14:10:11 GMT

Make sure your Global Protect URL matches the URL identifier configured in Azure, otherwise the request will be denied.

Re: Palo Alto with Azure SAML issue

Kevin-Ng — Mon, 08 Apr 2024 14:43:24 GMT

I am using FQDN for my GP url and for my identifier in azure . Not sure why the error is showing the IP Address instead.

Re: Palo Alto with Azure SAML issue

Anderson_D — Mon, 08 Apr 2024 15:16:24 GMT

But even under GlobalProtect > Portals > Agent > External Gateways?