On PA 8.1.19 we have configured GP portal and Gateway for SAML authentic in Azure.
We have imported the SAML Metadata XML into SAML identity provider in PA.
Error code: -1
When I go to GP. url. I get authentic on my phone and I approve it then I get this error on browser.
PA. system log shows sam authentic error.
Server team says that SAML is working fine as it authenticates the user.
Any ideas how can we proceed on this?
Solved! Go to Solution.
There are various browser plugins (for the PC based browsers, most probably not for the smartphone, so you need to test this from a PC). This plugin helped me a lot while trouble shooting some SAML related authentication topics.
PA system log shows this error
and ( description contains 'Failure while validating the signature of SAML message received from the IdP "https://sts.windows.net/7262967a-05fa-4d59-8afd-25b734eaf196/", because the certificate in the SAML Message doesn\'t match the IDP certificate configured on the IdP Server Profile "Azure_GP". (SP: "Global Protect"), (Client IP: 18.104.22.168), (vsys: vsys1), (authd id: 6723816240130860777), (user: xsy@com)' )
I am having a similar issue.
global protect with azure SAML
authentication works fine with the GP Portal, but when connecting to the GP gateway, authentication fails with the same error you received. The Cert from Azure is an active and valid cert.
My portal and gateway have separate hostnames/IPs
I was able to make palo alto admin UI authentication work with SAML.
Now, I want to do the same with GlobalProtect.
A brief history:
I configured a SAML authentication profile for globalprotect and it's working just fine with our globalprotect VPN portal (we use Auth0 as an IDP with Duo MFA).
When trying to do the same with the globalprotect gateway (I'm 100% sure that the authentication profile and the auth0 client settings are correct), I keep getting this error "unknown private header auth-failed-invalid-user-input" and the globalprotect client is showing that it's not able to contact the gateway.
A workaround was using SAML authentication with vpn portal and certificate profile with the gateway.
Now, The problem is that I'm unable to identify VPN source users on Palo alto since I'm using the Common Name of a client SSL cert to identify users and not LDAP or adfs ...
Can someone help me make the saml authentication work with GP VPN gateway?
We have our GP where Portal and Gateway are configured for SAML authentication.
Make sure authentication profile is same for both portal and GW.
Did you check logs on the Duo side?
Hi @MP18 ,
I'm using the same SAML auth profile for both portal and gateway.
I'm suspecting that the callback url for the gateway is wrong.
Since the portal and the gateway are in the same domain, I'm using wildcard FQDN (https://*.X.X.X.X/SAML20/SP/ACS ).
Could it be that the gateway uses a different callback url ?
P.S: they are both using port 443.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!