- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-17-2020 01:54 PM
Hi Experts,
I have configured Azure SAML SSO for GlobalProtect. When I try to export Metadata from PaloAlto FW for global-protect service, there is a mandatory section to select which virtual system. But in my case, there is no virtual system to select from. I am not sure what's the issue. Any idea what's going on?
Thanks for your help in advance!
02-17-2020 06:43 PM
Do you see default vsys in drop-down?
Mayur
02-17-2020 06:55 PM
There is nothing in the drop-down. It’s empty. That’s why I am asking to see if anyone had such issue from before.
Thanks
03-06-2020 09:02 AM
Hi Sahir,
Did you get ever get a fix for this issue? I have exactly the same problem.
Thanks
03-07-2020 07:48 AM
i had same issue while generating metadata xml file from palo alto firewall. delete saml profile and create it again worked for me. it's showing vsys1
03-07-2020 07:58 AM
Hi @adityajoshi
I did delete and created the profile several times, still same issue. I think SAML is not working for me, because of the way our Azure environment setup, where the firewall is pulling a private IP address from Azure DHCP & that is being Natted by Azure, where we have no control over it.
Was your setup in Azure too? if so, can you please provide the steps you used to get it work?
Thanks,
Sahir
03-07-2020 11:25 AM
Hi @MartinLuff, please see my answer to @adityajoshi below
04-01-2020 08:59 AM
I tried deleting it multiple times, created a new SAML Server profile, new auth profile and still nothing. Anyone know what it could be?
04-01-2020 10:10 AM
Is your GP solution in Azure or local?
04-01-2020 10:14 AM
Hi,
Yes, the issue is the way Azure environment is built. From experience, you can't get SAML running because your Azure FW is using a private IP address from a DHCP server, and that private IP get's natt'ed by Azure on your behalf. All that, causes it to break. I've tested the same SAML configuration on a local firewall, and it worked first time. Therefore, Azure is no longer an option for our GP solution.
I hope that helps!
Thanks
04-14-2020 04:39 AM
Hi,
I'm currently experiencing this on an on-premise PA-220 firewall. When you want to export the Metadata file from the firewall, the authentication profile is there already. However, clicking the VSYS drop-down gives no value and so the 'OK' button is greyed out.
Firewall is running PAN-OS 9.0.5.
Did you have to do anything else to export it successfully?
12-15-2020 01:18 PM
'vsys1' is supposed to show up as an option.
Did you try to type in `vsys1` manually to see if it lets you?
12-15-2020 01:21 PM
Just fyi, I have this working in an Azure environment, with a private IP on the virtual firewall in Azure, and didn't run into this problem... SAML works fine to Azure.
12-30-2020 07:50 AM
What firewall you running? can you share your configuration?
Thanks,
Sahir
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!