topic Re: Global Protect Azure SAML authentication in General Topics

Global Protect Azure SAML authentication

kevin.thomas — Fri, 31 Jan 2020 14:26:24 GMT

PAN OS 8.1.6 currently

GP Client 4.1.13-2 and 5.0.7-2 (testing)

Attempting to use Azure SAML authentication

went through standard procedures..

import fed metadata xml from azure.

validate IDP cert unchecked.

Azure cert imports automatically and is valid.

auth profile with saml created (no message signing)

when Browsing to GP portal URL, redirection and Microsoft auth works fine and continues to Portal site.

From logs..

saml-signature-validated:

SAML Assertion: signature is validated against IdP certificate (subject \'crt.azure_SAML_profile.shared\') for user \'john.doe@here.com

auth-success:

'SAML SSO authenticated for user \'john.doe@here.com\'. auth profile \'azure-saml-auth\', vsys \'vsys4\', server profile \'azure_SAML_profile\', IdP entityID \'https://sts.windows.net/d77c7f4d-d767-461f-b625-8903327872/\', Fro

Next..

When I attempt to use the SAML auth profile with the GP gateway (different hostname/IP from Portal)

Fails..

The initial saml auth to the portal is successful in the logs...but then auth to the gateway fails with the below information.

from Logs..

saml-certificate error:

Failure while validating the signature of SAML message received from the IdP "https://sts.windows.net/d77c7f4d-d 767-461f-b625-8903327872/", because the certificate in the SAML Message doesn\'t match the IDP certificate configured on the IdP Server Profile "azure_SAML_profile". (SP: "Global Protect"), (Client IP: 70.131.60.24), (vsys: shared), (authd id: 6705119835185905969), (user: john.doe@here.com)' )

auth-fail:

SAML SSO authentication failed for user \'john.doe@here.com\'. Reason: SAML web single-sign-on failed. auth pr......

Re: Global Protect Azure SAML authentication

Maxstr — Fri, 31 Jan 2020 17:48:27 GMT

Are you using Azure Cloud MFA or Azure MFA Server?

Re: Global Protect Azure SAML authentication

AnalysisMan — Mon, 03 Feb 2020 18:50:50 GMT

The log shows that it's failing while validating the signature of SAML.

You may try this out:

1) Uncheck 'Validate Identity Provider Certificate,' and 'Sign SAML Message to IDP' on the Device -> Server Profiles -> SAML Identity Provider.
2) Set to 'None' in 'Certificate for Signing Requests' and 'Certificate Profile' on the Device -> Authentication Profile -> authentication profile you configured for Azure SAML.

Hope this helps,

Re: Global Protect Azure SAML authentication

cdg-sherman1 — Sat, 06 Jun 2020 23:51:44 GMT

Thank you much @AnalysisMan !!

After hours of working on this, I finally came across your post and you have saved the day.

It now works.

Re: Global Protect Azure SAML authentication

Vinod_Pathuri — Wed, 16 Aug 2023 17:05:07 GMT

I have the same issue with Pingone through the gateway getting internal error 500, any inputs?