Azure SAML Authentication with multiple PAs

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Azure SAML Authentication with multiple PAs

L4 Transporter



We have a GP configuration with 8 GP Gateways and 2 of them are acting as a GP Portal for backup.

We are using SAML authentication with Azure and wanted to know how to you deploy GP with SAML authentication in large scale.

Currently I have configured 3 SAML apps on Azure one for each PA device but I think it is not the right configuration since now I am getting that each SAML App's domain need to be unique and the Portal domain is for example: and I need to deploy it to 2 SAML Apps.

My assumptions are that because we only use SP Initiated SAML authentication meaning that the authentication process starts at the PA device I can just add all of the domains that are relevant on a single SAML App and install that Metadata file on all of the Pas. Am I right ?




L3 Networker

I just have installed 2 standalone Palo Alto's with SAML. With only 1 Enterprise App in Azure.

So i don't think you need more apps.

Why would you need 2 Apps ?

probably my missunderstanding.

so you have put both of the PA's URLs on the SAML App on Azure ? 

and import the metadata to both of the PAs ? 




Yes i've add both PA URL's in Azure in the same app, see below.

In our case we use an Azure Loadbalancer for the balanced portal configuration.

That portal points to the direct addresses of the firewall for the gateway connectivity.





The whole point of SSO/SAML is to use a single identity provider/authentication provider (Azure AD in this case) and have multiple serviceproviders (GP Portal and Gateways in this case) use it.


Did you manage to get it working ?

L4 Transporter

with single enterprise agent deployed you should be fine.

You just need to add multiple Identifier ( each fw for example ) and reply URL 

It is working.



SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 |

Hi, is this working? I'm trying to implement the same 

I have added different identifier and still not working, 


L4 Transporter

yes it is working as i described, 1 enterprise SAML application with all the domains that your PA are using by the way if you have a lot i thing your can use *.my.domain for example (although i don't think it is best practice)

if you have problems you can try the "miniOrange SAML Tracer" extention maybe you will see the SAML Assertions

Thank you for the reply,  I use the Globalprotect portal in Azure, like this, "" and it's working fine.  For gateway , its running in on-prem firewall "" ,  I have added in the "" ( same Azure Enterprise app) and imported metadata. Still not working. I'll try the fresh installation. 

L3 Networker

Hi @BalaBWV , if AAD responds with "invalid identifier" make sure you've included the port in the Entity ID in the Enterprise app like in @sebastianvd's screenshot, i.e. as that is what the auth profile presents to the client / SP in the request. As long as you have both identities and ACS included in the app it should work for both portal and gateway.

  • 10 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!