05-26-2022 12:20 AM
I am trying to log in to the firewall admin ui using okta's saml2.0 authentication.
OKTA created a new SAML2.0 application, and the certificate was linked by creating a Self Sign certificate in the firewall.
However, when trying to log in to SSO, it redirects to the okta page, but when logging in, SSO Fail appears.
022-05-26 16:04:09.559 +0900 Failure while validating the signature of SAML message received from the IdP "http://www.okta.com/exk16pn7t7a8zHGEm697", because the certificate in the SAML Message doesn't match the IDP certificate configured on the IdP Server Profile "oktatest". (SP: "Administrator WebUI"), (Client IP: 10.50.102.56), (vsys: shared), (authd id: 7098494957807207197), (user: ywseo@kakao.com)
2022-05-26 16:04:09.559 +0900 Error: _handle_signature(pan_authd_saml_internal.c:1603): _extract_x509cert_cmp_idp_cert_or_build_cr()
2022-05-26 16:04:09.559 +0900 Error: _parse_sso_response(pan_authd_saml.c:1480): _handle_signature() from IdP "http://www.okta.com/exk16pn7t7a8zHGEm697"
2022-05-26 16:04:09.559 +0900 Error: _handle_request(pan_authd_saml.c:2169): occurs in _parse_sso_response()
2022-05-26 16:04:09.559 +0900 SAML SSO authentication failed for user 'ywseo@kakao.com'. Reason: SAML web single-sign-on failed. auth profile 'ywseookta', vsys 'shared', server profile 'oktatest', IdP entityID 'http://www.okta.com/exk16pn7t7a8zHGEm697', reply message 'SAML single-sign-on failed' From: 10.50.102.56.
2022-05-26 16:04:09.559 +0900 debug: _log_saml_respone(pan_auth_server.c:401): Sent PAN_AUTH_FAILURE SAML response:(authd_id: 7098494957807207197) (SAML err code "2" means SSO failed) (return username 'ywseo@ kakao.com') (auth profile 'ywseookta') (reply msg 'SAML single-sign-on failed') (NameID 'ywseo@kakao.com') (SessionIndex '_9fb9d102aa025b3939bce9ed603a1208') (Single Logout enabled? 'No') (Is it CAS (cloud-auth-service)? 'No')
Here's the authd.log... what did I do wrong?
05-26-2022 03:13 AM
I saw this and did it. But there was a problem...T.T
05-26-2022 02:32 PM
Hi @SeoYongwoon,
I saw your post, please refer to this document https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/configure-saml-authenticati...
If you are still facing this issue, I recommend you open a support case so that the next available engineer can help you with this.
Devanshu Taneja
Product specialist
Palo Alto Networks
https://live.paloaltonetworks.com/t5/aiops-for-ngfw/ct-p/AIOps_for_NGFW
*Don’t forget to accept the solution provided!*
05-26-2022 06:08 PM
I have refered the document too.
However when I checked the logs, it seems to be the certificate problem.
[Test Process]
1) Generated a Self-signed CA from PAN FW and exported it.
2) Made a Okta SAML Application and enabled Single Logout.
3) Uploaded the Selfcertificate to Okta.
[Query]
1)Does this be authenticated through the certificate I have imported?
2)If we import a idp meta data although it's not a root CA and creates a certificate, then do we have to use this certificate?
05-27-2022 09:16 AM - edited 05-27-2022 09:30 AM
Hi @SeoYongwoon,
It seems to be the issue on the PAN-OS side that requires some investigation. So, I recommend you open a support case.
Devanshu Taneja
Product Specialist
Palo Alto Networks
https://live.paloaltonetworks.com/t5/aiops-for-ngfw/ct-p/AIOps_for_NGFW
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
