topic Re: SAML authentication broke after upgrading to pan os 10.1.4-h4 in General Topics

SAML authentication broke after upgrading to pan os 10.1.4-h4

Akhil_B — Thu, 31 Mar 2022 14:12:54 GMT

After the upgrade of Pan-OS from 9.1.11 to 10.1.4-h4 last night, our SAML authentication does not work. We have a setup to authenticate the administrators logging into firewall using a SSO SAML profile which redirects to okta and we get authenticated over there.

It was working totally fine with the 9.1.11 version but as soon as I upgrade to 10.x it stopped working. I followed the step upgrade procedure of palo alto to upgrade 9.1.11 > 10.0.0 > 10.0.9 > 10.1.0 > 10.1.4-h4

Re: SAML authentication broke after upgrading to pan os 10.1.4-h4

Akhil_B — Thu, 31 Mar 2022 15:08:21 GMT

Solution Found:

Looking at the system logs on the PA, this new release is now checking the username being sent in the SAML assertion with the one we are logging in as. Because both of those need to agree with the administrator name, We had to change the Okta Application username format in Credential Details for this Palo Alto app to "Okta username prefix". That change dropped the domain.com from the user name that Okta sent back in the SAML assertion.