topic Re: Azure SAML Authentication for Admin access - HA Pair - AZURE Enterprise APP ADMIN UI in Next-Generation Firewall Discussions

Azure SAML Authentication for Admin access - HA Pair - AZURE Enterprise APP ADMIN UI

Carleton — Tue, 02 Aug 2022 17:38:48 GMT

We have been able to configure the ADMIN UI to use SAML auth on the primary firewall to leverage MFA. The problem is the secondary firewall has a different URL, of course, to access it. We tried creating a second ADMIN UI, but you cannot assign a separate authentication profile to the two different management interfaces in a HA configuration. Has anyone had a workaround for this?

Re: Azure SAML Authentication for Admin access - HA Pair - AZURE Enterprise APP ADMIN UI

CyberEng — Tue, 27 Sep 2022 09:34:01 GMT

Hi Carleton - did you ever get around this issue?

Cheers.

Re: Azure SAML Authentication for Admin access - HA Pair - AZURE Enterprise APP ADMIN UI

CyberEng — Tue, 27 Sep 2022 12:23:59 GMT

I managed to resolve this by adding multiple entries in the Azure SAML Identifer and reply-urls within the azure application SSO properties.

Re: Azure SAML Authentication for Admin access - HA Pair - AZURE Enterprise APP ADMIN UI

Carleton — Tue, 27 Sep 2022 12:41:55 GMT

I got it escalated to PA product development. When you use prelogin using a machine certificate authentication and SAML for user authentication, the SAML page on the firewall is what's causing the issue. We also are using a Windows OCSP responder to validate the certificate from a Windows server 2019 CA server. What development came back with was it is an issue with TLS 1.2. They believe that TLS 1.3 will have support for checking for certificate OID. There is no ability to check OID of the certificate in TLS1.2. If you have both user and machine certificates on the endpoint from the same CA, the embedded browser will prompt for a user certificate even though you are already authenticated. the workaround is to create a subordinate CA and only issue machine certificates from that CA. I found that if I used the public IP on the untrust side of the firewall and created a loopback interface using a nonroutable IP address and port 444, the issue didn't happen. You then need to nat to the untrust that loopback on 444 to port 443. GP will only function on 443. The gotcha here is you cant use IPsec and have to use SSL VPN at the cost of about 20% or better on the performance. The more people that go to their account rep and create a request for enhancement, the more attention this will get. So far they said only 4 people have reported the issue. I see this as something more and more people are going to want to do.

Re: Azure SAML Authentication for Admin access - HA Pair - AZURE Enterprise APP ADMIN UI

Carleton — Tue, 27 Sep 2022 12:43:33 GMT

One other thing. If you have user certs that are not used from the same CA and you delete them, the issue goes away too.

Re: Azure SAML Authentication for Admin access - HA Pair - AZURE Enterprise APP ADMIN UI

Carleton — Tue, 27 Sep 2022 12:52:44 GMT

I replied to the wrong thread, sorry. Yes we got this resolved by using a singe Enterprise app for both firelwalls

Re: Azure SAML Authentication for Admin access - HA Pair - AZURE Enterprise APP ADMIN UI

Carleton — Tue, 27 Sep 2022 13:35:55 GMT

In the basic SAML Config, you add both firewalls as shown below

Re: Azure SAML Authentication for Admin access - HA Pair - AZURE Enterprise APP ADMIN UI

CyberEng — Wed, 28 Sep 2022 08:22:18 GMT

Thanks Carleton.

Re: Azure SAML Authentication for Admin access - HA Pair - AZURE Enterprise APP ADMIN UI

K.Ivankova — Thu, 24 Apr 2025 18:03:50 GMT

I had same issue and support provided the following article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boQTCAY
But since we are in Azure, I found another way to fix the issue: Add linked single sign-on to an application

Configure linked-based single sign-on

Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
Browse to Identity > Applications > Enterprise applications > All applications.
Search for and select the application that you want to add linked SSO.
Select Single sign-on and then select Linked.
Enter the URL for the sign-in page of the application.
Select Save.

Firewall do authenticate with the proper Authentication Profiles.

Re: Azure SAML Authentication for Admin access - HA Pair - AZURE Enterprise APP ADMIN UI

CyberEng — Thu, 12 Jun 2025 08:25:33 GMT

Thanks K - thats good info on configuring the link-based SSO.