https://live.paloaltonetworks.com/t5/next-generation-firewall/azure-saml-authentication-validate-identity-provider-certificate/m-p/575282#M2551 <P>Hi&nbsp;<A id="link_7" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/211799" target="_self" aria-label="View Profile of zGomez"><SPAN class="">ZGomez</SPAN></A>, curious to know that did you checked the validate identity provider certificate. if so , then how did you get the&nbsp;identity provider certificate ?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AgilysysNetOps_0-1706784054201.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57014iFFEF97FB0DE25081/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="AgilysysNetOps_0-1706784054201.png" alt="AgilysysNetOps_0-1706784054201.png" /></span></P> <P>&nbsp;</P> Thu, 01 Feb 2024 10:42:21 GMT AgilysysNetOps 2024-02-01T10:42:21Z https://live.paloaltonetworks.com/t5/next-generation-firewall/azure-saml-authentication-validate-identity-provider-certificate/m-p/543325#M1310 <P>Hi,</P> <P>We have configured SAML on our portal and gateway.&nbsp; By default Microsoft generates a self signed certificate that is valid for 3 years for every Enterprise application you create.</P> <P>Is this secure enough to use the default self signed one and not validate it on my gateway/portal leave the check unmarked.</P> <P>According to this article it should be save if you are running the correct version of Panos.</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK" target="_blank">Securing your SAML Deployments - Knowledge Base - Palo Alto Networks</A></P> <P><A href="https://security.paloaltonetworks.com/CVE-2020-2021" target="_blank">CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication (paloaltonetworks.com)</A></P> <P>&nbsp;</P> <P>We could generate a certificate from our Internal PKI and upload this in Azure.&nbsp;</P> <P>What is the best pratice aroudn this.</P> <P>&nbsp;</P> Thu, 25 May 2023 10:18:29 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/azure-saml-authentication-validate-identity-provider-certificate/m-p/543325#M1310 zGomez 2023-05-25T10:18:29Z https://live.paloaltonetworks.com/t5/next-generation-firewall/azure-saml-authentication-validate-identity-provider-certificate/m-p/543396#M1317 <P>Hi there.. I think with today's modern PANOS, this not going to be an issue. We routinely do SAML cert setups in our PS organization and the Validate Cert is always disabled.&nbsp; <BR /><BR />Hope this helps.</P> Thu, 25 May 2023 22:39:46 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/azure-saml-authentication-validate-identity-provider-certificate/m-p/543396#M1317 S.Cantwell 2023-05-25T22:39:46Z https://live.paloaltonetworks.com/t5/next-generation-firewall/azure-saml-authentication-validate-identity-provider-certificate/m-p/575282#M2551 <P>Hi&nbsp;<A id="link_7" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/211799" target="_self" aria-label="View Profile of zGomez"><SPAN class="">ZGomez</SPAN></A>, curious to know that did you checked the validate identity provider certificate. if so , then how did you get the&nbsp;identity provider certificate ?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AgilysysNetOps_0-1706784054201.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57014iFFEF97FB0DE25081/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="AgilysysNetOps_0-1706784054201.png" alt="AgilysysNetOps_0-1706784054201.png" /></span></P> <P>&nbsp;</P> Thu, 01 Feb 2024 10:42:21 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/azure-saml-authentication-validate-identity-provider-certificate/m-p/575282#M2551 AgilysysNetOps 2024-02-01T10:42:21Z https://live.paloaltonetworks.com/t5/next-generation-firewall/azure-saml-authentication-validate-identity-provider-certificate/m-p/576424#M2598 <P>Hi,</P> <P>&nbsp;</P> <P>I ended up not checking the validity.&nbsp; But on the Azure side you could generate, import your own certificate on the Application.</P> <P>Or you can download it from there (the self signed).</P> <P>On Entra-ID go to Enterprise applications search for you Global Protect Application, single sign-on , saml certificate here you could use your own or download the existing self signed.&nbsp;</P> <P>You will have to import his on palo alto.&nbsp;&nbsp;</P> <P>I believe it would be more safe to check the cert but also an overhead in administration.&nbsp; The roll over happens every 3&nbsp; years so you would also have te re-import it then on PANOS after roll over.</P> <P>&nbsp;</P> Wed, 07 Feb 2024 10:16:14 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/azure-saml-authentication-validate-identity-provider-certificate/m-p/576424#M2598 zGomez 2024-02-07T10:16:14Z