GlobalProtect SAML Metadata

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect SAML Metadata

Hi Experts,

 

I have configured Azure SAML SSO for GlobalProtect. When I try to export Metadata from PaloAlto FW for global-protect service, there is a mandatory section to select which virtual system. But in my case, there is no virtual system to select from. I am not sure what's the issue. Any idea what's going on?

 

SAML metadata.PNG

Thanks for your help in advance!

17 REPLIES 17

L6 Presenter

@Sahir_Algharibih,

 

Do you see default vsys in drop-down?

 

Mayur

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

There is nothing in the drop-down. It’s empty. That’s why I am asking to see if anyone had such issue from before.

 

Thanks

Hi Sahir,

 

Did you get ever get a fix for this issue? I have exactly the same problem.

 

Thanks

i had same issue while generating metadata xml file from palo alto firewall. delete saml profile and create it again worked for me. it's showing vsys1 

Hi @adityajoshi 

 

I did delete and created the profile several times, still same issue. I think SAML is not working for me, because of the way our Azure environment setup, where the firewall is pulling a private IP address from Azure DHCP & that is being Natted by Azure, where we have no control over it.

 

Was your setup in Azure too? if so, can you please provide the steps you used to get it work?

 

Thanks,
Sahir

Hi @MartinLuff, please see my answer to @adityajoshi below

I tried deleting it multiple times, created a new SAML Server profile, new auth profile and still nothing. Anyone know what it could be?

Eric Rivera
Network Administrator

Is your GP solution in Azure or local?

Hi,

 

Yes, the issue is the way Azure environment is built. From experience, you can't get SAML running because your Azure FW is using a private IP address from a DHCP server, and that private IP get's natt'ed by Azure on your behalf. All that, causes it to break. I've tested the same SAML configuration on a local firewall, and it worked first time. Therefore, Azure is no longer an option for our GP solution.

 

I hope that helps!

 

Thanks 

Hi,

I'm currently experiencing this on an on-premise PA-220 firewall. When you want to export the Metadata file from the firewall, the authentication profile is there already. However, clicking the VSYS drop-down gives no value and so the 'OK' button is greyed out.

Firewall is running PAN-OS 9.0.5.

 

Did you have to do anything else to export it successfully?

'vsys1' is supposed to show up as an option.

Did you try to type in `vsys1` manually to see if it lets you?

Just fyi, I have this working in an Azure environment, with a private IP on the virtual firewall in Azure, and didn't run into this problem... SAML works fine to Azure.

What firewall you running? can you share your configuration?

 

Thanks,
Sahir

L4 Transporter

I have the same problem, can anybody share your solution for fixed it?

  • 10782 Views
  • 17 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!