02-07-2023 09:51 AM
we have configure the global products saml authentication with 443 in azure AD but we need to configure with the custom port number 1194 is it possible
02-20-2024 07:20 AM - edited 02-20-2024 07:25 AM
we encountered the same diffculty while trying to configure the GP port with a custom port number.
what do we need to configure under every section if we want to use a custom port like '10443'?
do i need to put ":10443" after the "test" and before the"/"?
and if so do i need to do that under every section?
02-20-2024 09:00 AM
After authentication, packets from Azure's SAML requests are restricted to pass through Palo Alto firewalls only on port 443. If you require a custom port, you'll need to create two NAT policies: one for port 443 and another for the custom port.
02-20-2024 09:16 AM
Hi @n.major ,
The MS doc for GP/Azure is missing the port numbers. The PANW doc includes the port numbers (scroll down in red). https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE
The doc also answers your question. Where do I put the port numbers and on which URLs?
Thanks,
Tom
02-20-2024 09:22 AM
if i remember correctly i've configured it that way.
but as per what you say i dont need to change the SAML links on the palo alto firewall side, but i need to add a configuration of a
source NAT and Destination NAT?
02-20-2024 09:24 AM
thank you for your reply!
but in this link of KB that you sent me it is talked about as a 'regular' port and not a custom port.
i have managed to make it work as expected with port number 443 (with integration to SAML).
but when im changing it to a custom port on the GP-portal conf and on the azure side i get an error message.
02-20-2024 09:28 AM
Hi @n.major ,
That is what @vasanth0611 said. I haven't looked into changing the port on the PANW side, but you can use NAT to do it.
Create an outbound destination NAT rule to change the port from 443 to 10443, and it should work.
Thanks,
Tom
02-20-2024 09:39 AM - edited 02-20-2024 09:42 AM
maybe i wasn't so clear.
when putting the url of the portal in the webbrowser i get the correct result and i am getting a redirect to the SAML.
on the SAML i get pass the credential part and get a 2FA which i approve.
than my screen is getting loaded, and i get an error message.
"AADSTS700016: Application with identifier 'https://test.com:443/SAML20/SP' was not found in the directory 'test.test'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant"
if you look carefully on the error you can see that it specify port number 443 and not 10443, so my feeling is that there is something wrong in the communication between the pafw and azure's SAML on the last handshake.
so the network side of the configuration seems to work fine.
02-22-2024 06:37 AM
Hi @n.major ,
Thank you. It may be best if we build a ladder diagram of the communication between the NGFW and Azure.
Hi @vasanth0611 , Did you get this working?
Thanks,
Tom
02-22-2024 10:58 AM
Get to correct flow is this:
The user makes an authentication request to the equipment.
The equipment bounces and redirects the user to saml.
The user goes through an authentication and identification procedure with the SAML and receives a Token after successful authentication and identification.
With the identification token, the user returns to the equipment.
The equipment verifies the token against the cloud and allows access.
so by this flow and the scenario I’m in, the failure happens when the FW verifies the token against the cloud.
04-19-2024 03:42 AM
I have the same problem, i think that the fw does not know how to return the authentication request to the changed port and only uses 443
04-21-2024 04:09 AM
i have not find any solution.
im doing it with the basic 443 port number when using SAML, so if you find a solution please @ me.
07-17-2024 02:41 AM
Hi Vasanth0611,
I recently encountered this problem, but I don't quite understand the two NAT strategies you mentioned. Could you please explain it in more detail?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
