topic Re: Unable to Authenticate to GP using SMAL in General Topics

Unable to Authenticate to GP using SMAL

MP18 — Fri, 29 Nov 2019 06:31:29 GMT

On PA 8.1.19 we have configured GP portal and Gateway for SAML authentic in Azure.

We have imported the SAML Metadata XML into SAML identity provider in PA.

Authentication Failed

Please contact the administrator for further assistance

Error code: -1

When I go to GP. url. I get authentic on my phone and I approve it then I get this error on browser.

PA. system log shows sam authentic error.

Server team says that SAML is working fine as it authenticates the user.

Any ideas how can we proceed on this?

Re: Unable to Authenticate to GP using SMAL

JoergSchuetter — Fri, 29 Nov 2019 12:24:01 GMT

Hello

There are various browser plugins (for the PC based browsers, most probably not for the smartphone, so you need to test this from a PC). This plugin helped me a lot while trouble shooting some SAML related authentication topics.

Re: Unable to Authenticate to GP using SMAL

MP18 — Fri, 29 Nov 2019 15:38:02 GMT

I am testing from the PC only.

Will use SAML ext for chrome now

Re: Unable to Authenticate to GP using SMAL

MP18 — Fri, 29 Nov 2019 15:43:21 GMT

PA system log shows this error

and ( description contains 'Failure while validating the signature of SAML message received from the IdP "https://sts.windows.net/7262967a-05fa-4d59-8afd-25b734eaf196/", because the certificate in the SAML Message doesn\'t match the IDP certificate configured on the IdP Server Profile "Azure_GP". (SP: "Global Protect"), (Client IP: 207.228.78.105), (vsys: vsys1), (authd id: 6723816240130860777), (user: xsy@com)' )

Re: Unable to Authenticate to GP using SMAL

MP18 — Sat, 07 Dec 2019 17:20:52 GMT

Issue was fixed by exporting the right cert from Azure.

XML metadata file is azure was using inactive cert.

Re: Unable to Authenticate to GP using SMAL

kevin.thomas — Fri, 31 Jan 2020 13:57:29 GMT

I am having a similar issue.

global protect with azure SAML

authentication works fine with the GP Portal, but when connecting to the GP gateway, authentication fails with the same error you received. The Cert from Azure is an active and valid cert.

My portal and gateway have separate hostnames/IPs

Re: Unable to Authenticate to GP using SMAL

MP18 — Wed, 05 Feb 2020 16:38:48 GMT

check the authd logs in the PA.

Also check the logs in Azure.

Authd logs in PA helps to find the cause of the error message.

Re: Unable to Authenticate to GP using SMAL

RamiAkermi — Wed, 15 Jul 2020 16:22:52 GMT

Hi @MP18
I was able to make palo alto admin UI authentication work with SAML.
Now, I want to do the same with GlobalProtect.
A brief history:
I configured a SAML authentication profile for globalprotect and it's working just fine with our globalprotect VPN portal (we use Auth0 as an IDP with Duo MFA).
When trying to do the same with the globalprotect gateway (I'm 100% sure that the authentication profile and the auth0 client settings are correct), I keep getting this error "unknown private header auth-failed-invalid-user-input" and the globalprotect client is showing that it's not able to contact the gateway.
A workaround was using SAML authentication with vpn portal and certificate profile with the gateway.
Now, The problem is that I'm unable to identify VPN source users on Palo alto since I'm using the Common Name of a client SSL cert to identify users and not LDAP or adfs ...
Can someone help me make the saml authentication work with GP VPN gateway?
Thanks.
Rami

Re: Unable to Authenticate to GP using SMAL

MP18 — Mon, 20 Jul 2020 03:19:06 GMT

@RamiAkermi

We have our GP where Portal and Gateway are configured for SAML authentication.

Make sure authentication profile is same for both portal and GW.

Did you check logs on the Duo side?

Regards

Re: Unable to Authenticate to GP using SMAL

RamiAkermi — Mon, 20 Jul 2020 08:49:58 GMT

Hi @MP18 ,

I'm using the same SAML auth profile for both portal and gateway.
I'm suspecting that the callback url for the gateway is wrong.
Since the portal and the gateway are in the same domain, I'm using wildcard FQDN (https://*.X.X.X.X/SAML20/SP/ACS ).
Could it be that the gateway uses a different callback url ?
P.S: they are both using port 443.

Thanks.
Rami

Re: Unable to Authenticate to GP using SMAL

MP18 — Mon, 20 Jul 2020 16:45:15 GMT

@RamiAkermi

They both use same redirect url.

Other thing you can try is to reimport the Certificate again.

Regards

Re: Unable to Authenticate to GP using SMAL

RamiAkermi — Wed, 22 Jul 2020 16:19:35 GMT

Hi @kevin.thomas

Did you get this to work?
I'm having the same issue.
I'm able to connect to the GP portal but not to GP VPN gateway.
Something else, what's the callback url (ACS url ) that you are using for your vpn gateway?

Re: Unable to Authenticate to GP using SAML

johan.boeckx — Fri, 12 Mar 2021 15:13:37 GMT

I am having the same issue. We want to upgrade version 9.1.8 and have a working saml implementation for Globalprotect under 9.0.x . Since now signing and validate "identity provider certificate" is required, signing messages seem obligatory. When I enable the profile with ipc enabled in gateway it works. When I enable it in portal, it doesnt work under version 9.0.x. When I only sign after upgrade under panos 9.1.8, I notice that the translation from UPN (user principal name / emailadresses) to Ad user doesnt work anymore, causing all traffic blocked. I suppose it has something to do with the new saml implementation starting panos 9.1.3 . Did something change on UPN translation on panos 9.1.X ?

The error i get when trying to enable identity provider certificate is :

Failed to validate the signature in IdP certificate "crt.AzureaD-SAML.shared" of entity Id "https://sts.windows.net/xxx"

Re: Unable to Authenticate to GP using SMAL

sandeepchs — Thu, 20 May 2021 16:18:02 GMT

had same issue on my firewall. resolved after re configuring ntp (time settings ). this was because of time difference between SAML authentication URLs and your firewall. default maximum deference is 60s

Re: Unable to Authenticate to GP using SMAL

OykuMiser — Wed, 12 Jun 2024 05:24:09 GMT

I saw this alert on our corporate firewall ; 'Failed to convert SAML message payload into xml tree', as a high level,

Is there anyone to explain what this means and what this situation effects to our SAML vpn configurations?

Please inform to me,

Have a good day.