topic Re: GlobalProtect SAML Metadata in General Topics

GlobalProtect SAML Metadata

Sahir_Algharibih — Mon, 17 Feb 2020 21:54:13 GMT

Hi Experts,

I have configured Azure SAML SSO for GlobalProtect. When I try to export Metadata from PaloAlto FW for global-protect service, there is a mandatory section to select which virtual system. But in my case, there is no virtual system to select from. I am not sure what's the issue. Any idea what's going on?

Thanks for your help in advance!

Re: GlobalProtect SAML Metadata

SutareMayur — Tue, 18 Feb 2020 02:43:16 GMT

@Sahir_Algharibih,

Do you see default vsys in drop-down?

Mayur

Re: GlobalProtect SAML Metadata

Sahir_Algharibih — Tue, 18 Feb 2020 02:55:18 GMT

There is nothing in the drop-down. It’s empty. That’s why I am asking to see if anyone had such issue from before.

Thanks

Re: GlobalProtect SAML Metadata

MartinLuff — Fri, 06 Mar 2020 17:02:35 GMT

Hi Sahir,

Did you get ever get a fix for this issue? I have exactly the same problem.

Thanks

Re: GlobalProtect SAML Metadata

adityajoshi — Sat, 07 Mar 2020 15:48:45 GMT

i had same issue while generating metadata xml file from palo alto firewall. delete saml profile and create it again worked for me. it's showing vsys1

Re: GlobalProtect SAML Metadata

Sahir_Algharibih — Sat, 07 Mar 2020 15:58:15 GMT

Hi @adityajoshi

I did delete and created the profile several times, still same issue. I think SAML is not working for me, because of the way our Azure environment setup, where the firewall is pulling a private IP address from Azure DHCP & that is being Natted by Azure, where we have no control over it.

Was your setup in Azure too? if so, can you please provide the steps you used to get it work?

Thanks,
Sahir

Re: GlobalProtect SAML Metadata

Sahir_Algharibih — Sat, 07 Mar 2020 19:25:17 GMT

Hi @MartinLuff, please see my answer to @adityajoshi below

Re: GlobalProtect SAML Metadata

Eric_Rivera — Wed, 01 Apr 2020 15:59:13 GMT

I tried deleting it multiple times, created a new SAML Server profile, new auth profile and still nothing. Anyone know what it could be?

Re: GlobalProtect SAML Metadata

Sahir_Algharibih — Wed, 01 Apr 2020 17:10:26 GMT

Is your GP solution in Azure or local?

Re: GlobalProtect SAML Metadata

Sahir_Algharibih — Wed, 01 Apr 2020 17:14:28 GMT

Hi,

Yes, the issue is the way Azure environment is built. From experience, you can't get SAML running because your Azure FW is using a private IP address from a DHCP server, and that private IP get's natt'ed by Azure on your behalf. All that, causes it to break. I've tested the same SAML configuration on a local firewall, and it worked first time. Therefore, Azure is no longer an option for our GP solution.

I hope that helps!

Thanks

Re: GlobalProtect SAML Metadata

Bocsa — Tue, 14 Apr 2020 11:39:36 GMT

Hi,

I'm currently experiencing this on an on-premise PA-220 firewall. When you want to export the Metadata file from the firewall, the authentication profile is there already. However, clicking the VSYS drop-down gives no value and so the 'OK' button is greyed out.

Firewall is running PAN-OS 9.0.5.

Did you have to do anything else to export it successfully?

Re: GlobalProtect SAML Metadata

ksalustro — Tue, 15 Dec 2020 21:18:30 GMT

'vsys1' is supposed to show up as an option.

Did you try to type in `vsys1` manually to see if it lets you?

Re: GlobalProtect SAML Metadata

ksalustro — Tue, 15 Dec 2020 21:21:30 GMT

Just fyi, I have this working in an Azure environment, with a private IP on the virtual firewall in Azure, and didn't run into this problem... SAML works fine to Azure.

Re: GlobalProtect SAML Metadata

Sahir_Algharibih — Wed, 30 Dec 2020 15:50:35 GMT

What firewall you running? can you share your configuration?

Thanks,
Sahir

Re: GlobalProtect SAML Metadata

Alpalo — Fri, 22 Jul 2022 06:18:04 GMT

I have the same problem, can anybody share your solution for fixed it?

Re: GlobalProtect SAML Metadata

michelealbrigo — Tue, 24 Oct 2023 12:59:11 GMT

I'm on a much newer PanOS version, yet I have a very similar problem.

Platform: PA-5400 with PanOS 10.2.5

I've followed this guide:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-saml-authentication
All certificates are installed and valid (no self-signed), I managed to complete every step, but I'm stuck at Step 5, item 4. I'm supposed to download the SAML metadata to bring it to my IdP, but I can't. Whether I turn on IdP validation and request signing or I turn them off, I get nothing in the box where I should select which service I want to turn SAML on for:

Any clue on what I am missing? Is there any requirement for the request signing certificate? (e.g. it does it have to match the FQDN of the IP of the service route sending SAML requests? And which one is the service route sending them?)

Re: GlobalProtect SAML Metadata

ksalustro — Tue, 24 Oct 2023 14:03:16 GMT

I have configured GP with SAML with both Azure and Duo. I have never done step 5 and IMHO, it's not needed. On Azure, I go to Enterprise Applications, go to "Palo Alto Networks - GlobalProtect" then "set up single sign on" and put in the info:

Basic SAML Configuration Identifier (Entity ID) https://vpn.mycompany.com:443/SAML20/SP
Reply URL (Assertion Consumer Service URL) https://vpn.mycompany.com:443/SAML20/SP/ACS
Sign on URL https://vpn.mycompany.com
Relay State (Optional)
Logout Url (Optional)

Re: GlobalProtect SAML Metadata

michelealbrigo — Wed, 25 Oct 2023 06:21:59 GMT

Sorry, I apparently posted in the wrong thread, after opening a dozen from Live Community: I am NOT using Azure.

My SAML IdP is internal, and our system require a two-way trust between IdP (the SAML SSO portal) and Sp (the firewall). Nonetheless, even disabling the related configuration on the firewall, I can't export the metadata for the IdP.