08-24-2019 06:49 PM
We are on PAN-OS 8.0.6 and have GlobalProtect and SAML w/ Okta setup. It has worked fine as far as I can recall.
However when we went to upgrade to 8.0.19 and any later version (after trying that one first), our VPN stopped working.
The client would just loop through Okta sending MFA prompts.
On the web client, we got this error: "Authentication failed Error code -1" with "/SAML20/SP/ACS" appended to the URL of the VPN site (after successfully authenticating with Okta.
When I downgrade PAN-OS back to 8.0.6, everything goes back to working just fine. No changes are made by us during the upgrade/downgrade at all.
Any advice/suggestions on what to do here?
02-18-2020 03:47 PM
Hello, I’d found that this was a certificate issue and I needed to renew a certificate even though it wasn’t technically expiring for another month.
when you get this error, what does the system log say? It should be a very recent entry after you get the error.
02-19-2020 07:20 AM
I am getting the following error, I re-posted because I should have taken some of the URLs out. It is strange it is not showing a user name.
Client '' received out-of-band SAML message: <?xml version="1.0" encoding="UTF-8"?><saml2p:Response Destination="https://xxx.gov:443/SAML20/SP/ACS" ID="idxxx" IssueInstant="2020-02-19T15:13:57.156Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/xxx</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3
SAML SSO authentication failed for user ''. Reason: SAML web single-sign-on failed. reply message 'Reason: SAML web single-sign-on failed.'
07-19-2020 03:54 PM
03-10-2021 11:46 AM
I am also facing the same issue with Panorama -> Prisma -> 10.0.4 version as well. Using the Prisma App provided in Okta portal. Any guidance or direction would be appreciated. Thanks!
05-20-2021 09:14 AM - edited 05-20-2021 09:15 AM
I had same issue on my firewall. resolved after re configuring ntp (time settings ). this was because of time difference between SAML authentication URLs and your firewall. default maximum deference is 60s
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!