Palo Alto with Azure SAML issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo Alto with Azure SAML issue

L1 Bithead

Hi all, I have configured all the required basic SAML configurations in Azure, and assigned a few test AD users to GlobalProtect enterprise application. Also configured those required settings on the Palo Alto end where I import the XML cert, create an authentication profile, and assign the profile to both my gateway and portal. You can refer to my screenshots of those configurations.

 

what issue i faced, once i redirect to the Microsoft portal login, and after login in, i got the below error message,

Anyone can help me find the root cause of this?

KevinNg_3-1710232179173.png

 

Below are my configuration:

 

KevinNg_0-1710231902791.png

KevinNg_1-1710232073112.pngKevinNg_2-1710232093067.png

 

GlobalProtect  Azure 

 

2 accepted solutions

Accepted Solutions

It seems your time is not synchronized between the firewall and the IdP (Azure), thus the firewall will reject the SAML response.

 

This is also explained here:

Authentication error due to timestamp in SAML message from IdP - Knowledge Base - Palo Alto Networks

View solution in original post

But even under GlobalProtect > Portals > Agent > External Gateways?

View solution in original post

9 REPLIES 9

L2 Linker

Hi Kevin,

 

Have you checked the authd.log? I would say this could be related to problems with the SAML request/response.

 

less mp-log authd.log

Hi, this is the error i getting . not sure what is it about? do you know?

It seems your time is not synchronized between the firewall and the IdP (Azure), thus the firewall will reject the SAML response.

 

This is also explained here:

Authentication error due to timestamp in SAML message from IdP - Knowledge Base - Palo Alto Networks

My Palo alto have already configured with sg.pool.ntp.org. But do you happen to know where i can configure NTP/timezone for my Azure IdP?

 

I don't know, I've been configuring Azure SAML for multiple regions in different timezones without issues.

Is the firewall configured in the correct timezone besides the NTP server (Device > Setup > Management > Time Zone)? I'm asking this because all SAML messages are in UTC format, maybe your problem is the firewall not being in the correct time zone and the converted time to UTC is not matching Azure's.

thanks @Anderson_D ! i managed to resolve this error.

Now I have a new error where I now able to login from the browser. But when I tried to log in from the GlobalProtect App itself. i got the error from the attached image "121". Do you know what is the setting i miss out?

Make sure your Global Protect URL matches the URL identifier configured in Azure, otherwise the request will be denied.

I am using FQDN for my GP url and for my identifier in azure . Not sure why the error is showing the IP Address instead.

But even under GlobalProtect > Portals > Agent > External Gateways?

  • 2 accepted solutions
  • 2981 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!