topic Re: PaloAlto/Okta CaptivePortal Stopped Working in Next-Generation Firewall Discussions

PaloAlto/Okta CaptivePortal Stopped Working

pomologist — Thu, 12 Jan 2023 19:04:34 GMT

Hello! I've had PaloAlto/Okta captive portal authentication working for awhile now. I recently upgraded Okta to Okta Identity Engine, and also upgraded my PA to the latest 10.x.x version. One of those upgrades appears to have broken the Okta/PA integration. SP initiated authentications STILL WORK. IDP initiated authentications do NOT WORK - they redirect to Okta for entering credentials, and then hang on the re-direct back to the PA. i.e, they hang on:

https://xxxxxxxx.okta.com/login/token/redirect?stateToken=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The Okta logs show only successful authentications, and no errors. Thus Okta support says the issue is outside of their control.

Any suggestions?

Thank you!

Re: PaloAlto/Okta CaptivePortal Stopped Working

pomologist — Wed, 18 Jan 2023 23:54:30 GMT

I opened a case with PA about this and it turns out that broken OKTA SAML authentication is a known bug PAN-OS 10.2.3 (version I'm on)!

PA engineering is working on a fix. PAN-OS 10.2.4 / 11.0.1 is the target fix version, with an ETA is "TBD"....

Re: PaloAlto/Okta CaptivePortal Stopped Working

AaronAxvig — Thu, 26 Jan 2023 21:47:45 GMT

FYI the Okta doc about setting up PA CaptivePortal SSO (https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Palo-Alto-Networks-CaptivePortal.html) currently states that Idp-Initiated is not supported. Not sure if that has always been there or is something new just for this issue.

Quote:

SP-initiated flows are supported.

IdP-initiated flows and Just In Time (JIT) Provisioning are not supported.

Re: PaloAlto/Okta CaptivePortal Stopped Working

pomologist — Fri, 27 Jan 2023 04:38:56 GMT

Hmm, very interesting. It has worked for me for years, and is set up following the standard procedure Okta outlines for integration. I suspect this must be a tacit acknowledgment of the bug. Update from PA support on this is that the fix is supposed to be released sometime in March....

Re: PaloAlto/Okta CaptivePortal Stopped Working

govindra — Thu, 16 Feb 2023 21:09:58 GMT

A few months back I updated to 10.2.x, then my CP seemed to break using SAML to Ping. I went back to 10.1.x. I just saw in 10.2.3-h4, (PAN-210513) they fixed a CP SAML issue. Maybe that is your fix and maybe mine as well, will need to re-update and test later. Maybe if you test it first, reply and let us know if that addresses your issue.

Re: PaloAlto/Okta CaptivePortal Stopped Working

pomologist — Fri, 17 Feb 2023 02:52:10 GMT

Yes I noticed that too. I updated to 10.2.3-h4 today, but it unfortunately did not fix the issue for me. The rep told me earlier that I'll have to wait until 10.2.4 for the fix.

Re: PaloAlto/Okta CaptivePortal Stopped Working

govindra — Fri, 17 Feb 2023 12:02:06 GMT

unfortunate, guess i'll wait too before i try mine again, last time i did this i saw the redirect back to the PA and where it also hung and ended up needing to drive to office to restore.

Re: PaloAlto/Okta CaptivePortal Stopped Working

govindra — Fri, 31 Mar 2023 10:35:17 GMT

I see 10.2.4 is out, if you get to test it and if fixes your issue, would like that feedback.

Re: PaloAlto/Okta CaptivePortal Stopped Working

govindra — Fri, 23 Jun 2023 11:37:10 GMT

@pomologist - curious if you made the jump to 10.2.4-h2 and if that fixed your captive portal issue?

Re: PaloAlto/Okta CaptivePortal Stopped Working

pomologist — Wed, 28 Jun 2023 07:59:41 GMT

I'll be running the update in a couple weeks and will report at that time!

Re: PaloAlto/Okta CaptivePortal Stopped Working

govindra — Sat, 05 Aug 2023 17:34:40 GMT

@pomologist - I updated to 10.2.4-h3 and that seemed to address my CP issues we saw in 10.2.2