https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-admin-ui-okta-saml/m-p/615436#M2602 <P>Hi, we are trying to configure the Panorama SAML authentication within our Okta tenant, and we couldn't get it done due to an invalid sign-in certificate in the "Authentication profile" section.</P> <P>&nbsp;</P> <P>We have followed the following Palo Alto and Okta documents below, generated an authority certificate, and published it to the Okta app via the API call according to the Okta CSR generation process:<BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP#:~:text=updated%20it%20manually.-,Steps%20to%20configure%20CA%2Dissued%20certificate%20and%20enable%20Validate%20Identity%20Provider%20Certificate%20on%20PAN%2DOS%C2%A0,-Step%201%20%2D%20%C2%A0Add" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP#:~:text=updated%20it%20manually.-,Steps%20to%20configure%20CA%2Dissued%20certificate%20and%20enable%20Validate%20Identity%20Provider%20Certificate%20on%20PAN%2DOS%C2%A0,-Step%201%20%2D%20%C2%A0Add</A></P> <P>&nbsp;</P> <P><A href="https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Palo-Alto-Networks-Admin-UI.html?baseAdminUrl=https://monday-admin.okta.com&amp;app=paloaltonetworkssaml&amp;instanceId=0oa158vs8abQAHd2q358" target="_blank">https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Palo-Alto-Networks-Admin-UI.html?baseAdminUrl=https://monday-admin.okta.com&amp;app=paloaltonetworkssaml&amp;instanceId=0oa158vs8abQAHd2q358</A></P> <P>&nbsp;</P> <P>It seems like Palo Alto detects sign in certificates only if they are within a private key in the profile itself and not by request as Okta works (Every sign request generates a key)</P> <P>&nbsp;</P> <P>I'm wondering how to make it work if we have a signed authority certificate that works great on Okta(the logs show it) but is not accepted by the Panorama console.</P> <P>&nbsp;</P> <P>It would be great if someone who is familiar with the process could give us some insights about connecting the Panorama admin UI within Okta SAML.</P> <P>&nbsp;</P> <P>Thanks!</P> <P>&nbsp;</P> Mon, 28 Oct 2024 13:09:51 GMT avivda 2024-10-28T13:09:51Z https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-admin-ui-okta-saml/m-p/615436#M2602 <P>Hi, we are trying to configure the Panorama SAML authentication within our Okta tenant, and we couldn't get it done due to an invalid sign-in certificate in the "Authentication profile" section.</P> <P>&nbsp;</P> <P>We have followed the following Palo Alto and Okta documents below, generated an authority certificate, and published it to the Okta app via the API call according to the Okta CSR generation process:<BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP#:~:text=updated%20it%20manually.-,Steps%20to%20configure%20CA%2Dissued%20certificate%20and%20enable%20Validate%20Identity%20Provider%20Certificate%20on%20PAN%2DOS%C2%A0,-Step%201%20%2D%20%C2%A0Add" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXP#:~:text=updated%20it%20manually.-,Steps%20to%20configure%20CA%2Dissued%20certificate%20and%20enable%20Validate%20Identity%20Provider%20Certificate%20on%20PAN%2DOS%C2%A0,-Step%201%20%2D%20%C2%A0Add</A></P> <P>&nbsp;</P> <P><A href="https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Palo-Alto-Networks-Admin-UI.html?baseAdminUrl=https://monday-admin.okta.com&amp;app=paloaltonetworkssaml&amp;instanceId=0oa158vs8abQAHd2q358" target="_blank">https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Palo-Alto-Networks-Admin-UI.html?baseAdminUrl=https://monday-admin.okta.com&amp;app=paloaltonetworkssaml&amp;instanceId=0oa158vs8abQAHd2q358</A></P> <P>&nbsp;</P> <P>It seems like Palo Alto detects sign in certificates only if they are within a private key in the profile itself and not by request as Okta works (Every sign request generates a key)</P> <P>&nbsp;</P> <P>I'm wondering how to make it work if we have a signed authority certificate that works great on Okta(the logs show it) but is not accepted by the Panorama console.</P> <P>&nbsp;</P> <P>It would be great if someone who is familiar with the process could give us some insights about connecting the Panorama admin UI within Okta SAML.</P> <P>&nbsp;</P> <P>Thanks!</P> <P>&nbsp;</P> Mon, 28 Oct 2024 13:09:51 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-admin-ui-okta-saml/m-p/615436#M2602 avivda 2024-10-28T13:09:51Z https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-admin-ui-okta-saml/m-p/1000038#M2722 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/940477259">@avivda</a>&nbsp;,</P> <P>&nbsp;</P> <P>I propose you an alternative :</P> <P>- enroll the Panorama to CIE</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/identity-features/cloud-identity-engine" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/identity-features/cloud-identity-engine</A><BR />- link CIE to Okta<BR /><A href="https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/authenticate-users-with-the-cloud-identity-engine/configure-an-identity-provider-in-the-cloud-identity-engine/configure-okta-as-an-idp-in-the-cloud-identity-engine" target="_blank">https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/authenticate-users-with-the-cloud-identity-engine/configure-an-identity-provider-in-the-cloud-identity-engine/configure-okta-as-an-idp-in-the-cloud-identity-engine</A><BR /><BR />Olivier</P> Fri, 03 Jan 2025 09:21:00 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-admin-ui-okta-saml/m-p/1000038#M2722 ozheng 2025-01-03T09:21:00Z