Ah well, spoke to soon, the certificate shows up in the interface under certificates and is marked as valid, but does not appear when configuring the SAML Identity Provider under the "Identity Provider Certificates" pull down. (all the other certs show up)
Still missing something.
The only case I've seen that is when the certificate is not valid for SAML purposes.
Which provider are you using ?
Do you not have an XML file which you can import, Modify CA flag and commit the change ?
Well, the certificate is in use by the IdP, and 40 plus other service providers are happy with it, but Palo Alto is special I guess. I created the certificate with:
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
C = US
ST = <state>
L = <City>
O = <org Name>
OU = <Department>
CN = <FQDN of IdPserver>
keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @@alt_name
DNS.1 = <FQDN of IdPserver>
openssl req -config ./Identity.cnf -new -x509 -nodes -sha256 \
-days 36524 -newkey rsa:2048 -keyout Identity.key \
I am confused by your statement, "Do you not have an XML file which you can import, Modify CA flag and commit the change ?". I have a metadata xml file for the IdP, but import fails due to the certificate being self signed with issue and subject the same. I obviously created the named config export XML file and grafted in the certificate with a CA flag set to Yes and reimported, which got me the certificate in Palo Alto but not the ability to use it in this context. Is there another XML file you are referring to?
Thanks for the help
Ah well, I switch the CA flag back to "No" and reimported the config, still wasn't choosable.
I then created a SAML Idp configuration, selecting an existing certificate used for something else, exported the config, manually switched it to the correct certificate name in the xml, and reimported the config. This imported fine but failed (claiming an invalid certificate) when trying to commit. It appears that the certificate I hacked in is really not functional for Palo Alto
Support is still struggling to offer any kind of work around. At this point, my best bet may be to build a second IdP, since I don't have time to do another certificate rollover and need to get this Global protect MFA config running ASAP.
Thanks for all the help, still wondering how your workaround is supposed to work.
Have never struggled this much with 40+ other SAML/CAS integrations.
I was struggling with this too, but I went over the instructions again and I just found out that at the very first screen when you click the "SAML identity provider" at the bottom, you can click import. And that is where you upload the XLM file from the azure website and it will automatically create the profile and import you certificate as well. I followed the instructions from the support page. If you click too add the profile your self you went to far and the XML file will not work there as it will be giving the CA warning, I hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!