07-16-2019 03:56 AM
This message appears when uploading an external CA certificate to the sistem. "Only self signed CA certificates can have identical subject and issuer fields". It's a Microsoft-adfs autosigned CA certificate used to sign SAML messages and we can't not change that, you know if there's any way to upload this certificate to the system in order we can use it? thanks!
10-20-2022 01:59 PM
If you are talking about setting up Azure SAML, it seems the XML is the only way. I went thru this last month and it is kind of confusing... It seems that under "correct" SAML you should get 1) a root CA certificate for SAML infrastructure, 2) a public certificate signed by the CA for the Azure SAML gateway, and 3) a private/public signed cert for the PaloAlto. That way you can verify traffic and sign messages in both directions.
However, it seems Azure only supplies you with a single self-signed public certificate for the SAML gateway. The default PaloAlto config has "Validate Identity Provider Certificate" enabled, but that doesn't work unless you have a signing root CA and sub certificates. Likewise, Azure doesn't have a cert from the PA, so it can't validate that either. Instead, all traffic happens over the HTTPS connection from PA to Azure signed by the self-signed certificate.
There is are two small note about this in the KB articles, but it is easy to miss:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE
Step 2 of the PA setup:
Option: Uncheck validate Identity Provider certificate. If checked, Certificate from Azure is needs to be uploaded on firewall as well.
Step 2.5 of the SAML Authentication KB:
If your IdP signing certificate is a self-signed certificate, there is no chain of trust; as a result, you cannot enable this option. The firewall always validates the signature of the SAML Responses or Assertions against the Identity Provider certificate that you configure whether or not you enable the Validate Identity Provider Certificate option. If your IdP provides a self-signed certificate, ensure that you are using PAN-OS 9.1.3 or a later 9.1 version to mitigate exposure to CVE-2020-2021.
So you end up with a Device->Server Profiles->SAML Identity Provider configuration that has "Validate Identity Provider Certificate" disabled and an Device->Authentication Profile configuration that has "Certificate for Signing Requests" and "Certificate Profile" set to None
10-27-2022 09:08 AM
Thanks for the help. Support did point me to this article which worked. As you said, also needed to uncheck the Validate IdP Cert box in the SAML config. It is for Azure MFA when using Global Protect. Thanks again!
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNrkCAG
06-01-2023 09:24 PM
Tried the steps below but unable to use the certificate in the Server profile for the Identity Provider Certificate.
1) Export XML config.
2) Set the CA flag.
3) Re-Import XML config.
04-29-2024 01:52 PM
Hello Everyone!
I know its an old post, but I'm sure people are still running into issues (like myself)
Can someone from PA put together a KB article with the correct process to accomplish this?
06-19-2024 07:21 AM
I ran into the same issue.
I had to use the Federation Metadata XML from Azure and import that through the Authentication Profile.
Create a new auth profile, Choose Type SAML the IdP Server Profile the import. This will load the cert, which allows you to switch your existing SAML setup to using it. Then you can delete the Auth profile you used to load the cert.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
