03-31-2022 07:12 AM
After the upgrade of Pan-OS from 9.1.11 to 10.1.4-h4 last night, our SAML authentication does not work. We have a setup to authenticate the administrators logging into firewall using a SSO SAML profile which redirects to okta and we get authenticated over there.
It was working totally fine with the 9.1.11 version but as soon as I upgrade to 10.x it stopped working. I followed the step upgrade procedure of palo alto to upgrade 9.1.11 > 10.0.0 > 10.0.9 > 10.1.0 > 10.1.4-h4
03-31-2022 08:08 AM
Solution Found:
Looking at the system logs on the PA, this new release is now checking the username being sent in the SAML assertion with the one we are logging in as. Because both of those need to agree with the administrator name, We had to change the Okta Application username format in Credential Details for this Palo Alto app to "Okta username prefix". That change dropped the domain.com from the user name that Okta sent back in the SAML assertion.
03-31-2022 08:08 AM
Solution Found:
Looking at the system logs on the PA, this new release is now checking the username being sent in the SAML assertion with the one we are logging in as. Because both of those need to agree with the administrator name, We had to change the Okta Application username format in Credential Details for this Palo Alto app to "Okta username prefix". That change dropped the domain.com from the user name that Okta sent back in the SAML assertion.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
