paloalto login method using okta saml authentication

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

paloalto login method using okta saml authentication

L1 Bithead

I am trying to log in to the firewall admin ui using okta's saml2.0 authentication.
OKTA created a new SAML2.0 application, and the certificate was linked by creating a Self Sign certificate in the firewall.
However, when trying to log in to SSO, it redirects to the okta page, but when logging in, SSO Fail appears.


022-05-26 16:04:09.559 +0900 Failure while validating the signature of SAML message received from the IdP "http://www.okta.com/exk16pn7t7a8zHGEm697", because the certificate in the SAML Message doesn't match the IDP certificate configured on the IdP Server Profile "oktatest". (SP: "Administrator WebUI"), (Client IP: 10.50.102.56), (vsys: shared), (authd id: 7098494957807207197), (user: ywseo@kakao.com)
2022-05-26 16:04:09.559 +0900 Error: _handle_signature(pan_authd_saml_internal.c:1603): _extract_x509cert_cmp_idp_cert_or_build_cr()
2022-05-26 16:04:09.559 +0900 Error: _parse_sso_response(pan_authd_saml.c:1480): _handle_signature() from IdP "http://www.okta.com/exk16pn7t7a8zHGEm697"
2022-05-26 16:04:09.559 +0900 Error: _handle_request(pan_authd_saml.c:2169): occurs in _parse_sso_response()
2022-05-26 16:04:09.559 +0900 SAML SSO authentication failed for user 'ywseo@kakao.com'. Reason: SAML web single-sign-on failed. auth profile 'ywseookta', vsys 'shared', server profile 'oktatest', IdP entityID 'http://www.okta.com/exk16pn7t7a8zHGEm697', reply message 'SAML single-sign-on failed' From: 10.50.102.56.
2022-05-26 16:04:09.559 +0900 debug: _log_saml_respone(pan_auth_server.c:401): Sent PAN_AUTH_FAILURE SAML response:(authd_id: 7098494957807207197) (SAML err code "2" means SSO failed) (return username 'ywseo@ kakao.com') (auth profile 'ywseookta') (reply msg 'SAML single-sign-on failed') (NameID 'ywseo@kakao.com') (SessionIndex '_9fb9d102aa025b3939bce9ed603a1208') (Single Logout enabled? 'No') (Is it CAS (cloud-auth-service)? 'No')

Here's the authd.log... what did I do wrong?

Paloalto SE
4 REPLIES 4

L1 Bithead

I saw this and did it. But there was a problem...T.T

Paloalto SE

L3 Networker

Hi @SeoYongwoon,

 

I saw your post, please refer to this document https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/configure-saml-authenticati... 

 

If you are still facing this issue, I recommend you open a support case so that the next available engineer can help you with this.

 

Devanshu Taneja

Product specialist  

Palo Alto Networks  

https://live.paloaltonetworks.com/t5/aiops-for-ngfw/ct-p/AIOps_for_NGFW  

*Don’t forget to accept the solution provided!*
 

 

I have refered the document too.
However when I checked the logs, it seems to be the certificate problem.

[Test Process]
1) Generated a Self-signed CA from PAN FW and exported it.
2) Made a Okta SAML Application and enabled Single Logout.
3) Uploaded the Selfcertificate to Okta.

[Query]
1)Does this be authenticated through the certificate I have imported?
2)If we import a idp meta data although it's not a root CA and creates a certificate, then do we have to use this certificate?

Paloalto SE

Hi @SeoYongwoon,

 

It seems to be the issue on the PAN-OS side that requires some investigation. So, I recommend you open a support case.

 

Devanshu Taneja

Product Specialist

Palo Alto Networks

https://live.paloaltonetworks.com/t5/aiops-for-ngfw/ct-p/AIOps_for_NGFW

 

  • 4083 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!