Gateway certificate error when switching to SAML authentication

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Gateway certificate error when switching to SAML authentication

L1 Bithead

I am testing changing our authentication for GlobalProtect from AD LDAP on premises servers to using Azure AD saml. I have the authentication working fine at the portal; the system logs show successful authentication. But then I get  "Could not verify the server certificate of the gateway." on the client. The GlobalProtect logs on the firewall show the successful connection to the portal, but nothing at all on the gateway. There are no errors at all in the firewall logs, and I don't see anything more than the above error in the collected client logs.

I am testing this on a pa220 that has been working using LDAP. The portal and gateway are on the same interface and using the same certificate, a wildcard from Godaddy. If I swap the authentication profile back to the LDAP one and change nothing else, it works again.

Any ideas?

1 accepted solution

Accepted Solutions

L6 Presenter

The client gets the Gateway information from the Portal agent config under the External tab. You can specify the gateways by FQDN or IP in the configuration. Something to look at might be the certificate attributes. If you are using SAML for the Portal auth then you need the portal FQDN in the certificate, if the Gateway then the gateway FQDN. If you use the same certificate for both then you need both names. The certificate should include a SAN section (certificate Subject Alternative Name) with all the FQDNs listed. Likewise, the matching FQDNs should be listed in the Azure SAML config for the IDP Identifier, Reply URL, and Sign on URL fields. 

View solution in original post

3 REPLIES 3

L1 Bithead

I got some time to dig further into the client logs yesterday and found that the certificate mismatch is because the client receives the IP address for the gateway rather than the FQDN that is defined in the portal. When the client retrieves the gateway information, does it get it from somewhere other than the agent configs on the portal?

L6 Presenter

The client gets the Gateway information from the Portal agent config under the External tab. You can specify the gateways by FQDN or IP in the configuration. Something to look at might be the certificate attributes. If you are using SAML for the Portal auth then you need the portal FQDN in the certificate, if the Gateway then the gateway FQDN. If you use the same certificate for both then you need both names. The certificate should include a SAN section (certificate Subject Alternative Name) with all the FQDNs listed. Likewise, the matching FQDNs should be listed in the Azure SAML config for the IDP Identifier, Reply URL, and Sign on URL fields. 

L1 Bithead

Thank you for your response. I had those things correct, but in double checking them to make sure of that, I saw that the problem was username format. I had multiple agent configs in the portal, but they were looking for domain\username format while the SAML was providing username@domain. A final default agent config that hasn't been used in years was configured with IP. Now I just need to figure out usernames, etc.

  • 1 accepted solution
  • 2627 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!