This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Palo Alto with Azure SAML issue

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo Alto with Azure SAML issue

Go to solution
Kevin-Ng
L1 Bithead

‎03-12-2024 01:32 AM

Hi all, I have configured all the required basic SAML configurations in Azure, and assigned a few test AD users to GlobalProtect enterprise application. Also configured those required settings on the Palo Alto end where I import the XML cert, create an authentication profile, and assign the profile to both my gateway and portal. You can refer to my screenshots of those configurations.

 

what issue i faced, once i redirect to the Microsoft portal login, and after login in, i got the below error message,

Anyone can help me find the root cause of this?

KevinNg_3-1710232179173.png

 

Below are my configuration:

 

KevinNg_0-1710231902791.png

KevinNg_1-1710232073112.pngKevinNg_2-1710232093067.png

 

GlobalProtect  Azure 

 

GlobalProtect
Thumbnail of GlobalProtect
Palo Alto Networks
GlobalProtect
Network Security
View on Product Page
Azure
Thumbnail of Azure
Palo Alto Networks
Azure
Cloud-Native Security
View on Product Page
0 Likes Likes
2 accepted solutions

Accepted Solutions

Go to solution
Anderson_D
L2 Linker
In response to Kevin-Ng

‎03-22-2024 06:05 AM

It seems your time is not synchronized between the firewall and the IdP (Azure), thus the firewall will reject the SAML response.

 

This is also explained here:

Authentication error due to timestamp in SAML message from IdP - Knowledge Base - Palo Alto Networks

View solution in original post

0 Likes Likes
(1)

Go to solution
Anderson_D
L2 Linker
In response to Kevin-Ng

‎04-08-2024 08:16 AM

But even under GlobalProtect > Portals > Agent > External Gateways?

View solution in original post

0 Likes Likes
9 REPLIES 9

Go to solution
Anderson_D
L2 Linker

‎03-12-2024 08:22 AM

Hi Kevin,

 

Have you checked the authd.log? I would say this could be related to problems with the SAML request/response.

 

less mp-log authd.log

0 Likes Likes

Go to solution
Kevin-Ng
L1 Bithead
In response to Anderson_D

‎03-22-2024 05:45 AM

Hi, this is the error i getting . not sure what is it about? do you know?

Preview file
93 KB
0 Likes Likes

Go to solution
Anderson_D
L2 Linker
In response to Kevin-Ng

‎03-22-2024 06:05 AM

It seems your time is not synchronized between the firewall and the IdP (Azure), thus the firewall will reject the SAML response.

 

This is also explained here:

Authentication error due to timestamp in SAML message from IdP - Knowledge Base - Palo Alto Networks

0 Likes Likes
(1)

Go to solution
Kevin-Ng
L1 Bithead
In response to Anderson_D

‎03-23-2024 12:46 AM

My Palo alto have already configured with sg.pool.ntp.org. But do you happen to know where i can configure NTP/timezone for my Azure IdP?

0 Likes Likes

Go to solution
Anderson_D
L2 Linker
In response to Kevin-Ng

‎03-25-2024 02:50 PM

 

I don't know, I've been configuring Azure SAML for multiple regions in different timezones without issues.

Is the firewall configured in the correct timezone besides the NTP server (Device > Setup > Management > Time Zone)? I'm asking this because all SAML messages are in UTC format, maybe your problem is the firewall not being in the correct time zone and the converted time to UTC is not matching Azure's.

0 Likes Likes

Go to solution
Kevin-Ng
L1 Bithead
In response to Anderson_D

‎04-08-2024 03:09 AM

thanks @Anderson_D ! i managed to resolve this error.

Now I have a new error where I now able to login from the browser. But when I tried to log in from the GlobalProtect App itself. i got the error from the attached image "121". Do you know what is the setting i miss out?

Preview file
410 KB
0 Likes Likes

Go to solution
Anderson_D
L2 Linker
In response to Kevin-Ng

‎04-08-2024 07:10 AM

Make sure your Global Protect URL matches the URL identifier configured in Azure, otherwise the request will be denied.

0 Likes Likes

Go to solution
Kevin-Ng
L1 Bithead
In response to Anderson_D

‎04-08-2024 07:43 AM

I am using FQDN for my GP url and for my identifier in azure . Not sure why the error is showing the IP Address instead.

0 Likes Likes

Go to solution
Anderson_D
L2 Linker
In response to Kevin-Ng

‎04-08-2024 08:16 AM

But even under GlobalProtect > Portals > Agent > External Gateways?

0 Likes Likes
  • 2 accepted solutions
  • 2925 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks