Unable to Authenticate to GP using SMAL

Reply
Highlighted
L4 Transporter

Unable to Authenticate to GP using SMAL

 

 

On PA 8.1.19 we have configured GP portal and Gateway for SAML authentic in Azure.

We have imported the SAML Metadata XML into SAML identity provider in PA.

Authentication Failed

Please contact the administrator for further assistance

Error code: -1

When I go to GP. url. I get authentic on my phone and I approve it then I get this error on browser.

 

PA. system log shows sam authentic error.

Server team says that SAML is working fine as it authenticates the user.

 

Any ideas how can we proceed on this?

 

 

 

MP

Accepted Solutions
Highlighted
L4 Transporter

Re: Unable to Authenticate to GP using SMAL

Issue was fixed by exporting the right cert from Azure.

XML metadata file is azure was using inactive cert.

MP

View solution in original post


All Replies
Highlighted
L3 Networker

Re: Unable to Authenticate to GP using SMAL

Hello

 

There are various browser plugins (for the PC based browsers, most probably not for the smartphone, so you need to test this from a PC). This plugin helped me a lot while trouble shooting some SAML related authentication topics.

Highlighted
L4 Transporter

Re: Unable to Authenticate to GP using SMAL

I am testing from the PC only.

Will use SAML ext for chrome now

MP
Highlighted
L4 Transporter

Re: Unable to Authenticate to GP using SMAL

PA system log shows this error 

 

and ( description contains 'Failure while validating the signature of SAML message received from the IdP "https://sts.windows.net/7262967a-05fa-4d59-8afd-25b734eaf196/", because the certificate in the SAML Message doesn\'t match the IDP certificate configured on the IdP Server Profile "Azure_GP". (SP: "Global Protect"), (Client IP: 207.228.78.105), (vsys: vsys1), (authd id: 6723816240130860777), (user: xsy@com)' )

MP
Highlighted
L4 Transporter

Re: Unable to Authenticate to GP using SMAL

Issue was fixed by exporting the right cert from Azure.

XML metadata file is azure was using inactive cert.

MP

View solution in original post

Highlighted
L0 Member

Re: Unable to Authenticate to GP using SMAL

I am having a similar issue.

 

global protect with azure SAML

 

authentication works fine with the GP Portal, but when connecting to the GP gateway, authentication fails with the same error you received. The Cert from Azure is an active and valid cert.

 

My portal and gateway have separate hostnames/IPs

Highlighted
L4 Transporter

Re: Unable to Authenticate to GP using SMAL

check the authd logs in the PA.

Also check the logs in Azure.

 

Authd logs in PA helps to find the cause of the error message.

MP
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!