11-14-2025 09:29 AM
Background :
Panorama version 10.2.13-h5
PA460's : 10.2.13-h5
2x PA460 active/passive HA. Managed by Panorama (9 other firewalls as well, but they don't provide GP portal / config.
- SAML cert expires Jan 10th 2026.
- Followed MS instruction on creating a new cert within MS admin/entra/azure/whatever they call it today.
- Firewalls did not like importing the cert directly - had this happen before, as well as browser issues causing cert uploads to fail. (I tried chrome, edge, ff, cache cleared and all)
When I set up SAML and GP initially (3 years ago) I had to import the xml directly from MS, vice manually adding details. I did this again, creating a new idp server profile > importing xml.
Once it imports, the cert that is imported has the OLD expire date (even though in MS azure it shows 2028). I will attempt to attach screenshots.
Lastly, I cannot remember when I initially set up SAML, do I have to create an intune policy / GPO to install the new SAML cert on each local machine before rolling out the new cert in production? or since it is a trusted CA should that not be needed?
11-20-2025 09:48 AM
Alright, got it fixed and working. You planted that nugget for me to end up figuring it out so thanks!
I ended up having to go into the metadata xml. I opened both certs in a window and compared the hashes to what was in the xml file. I found 3 entries for the old cert and removed them, and made sure the only X509 entries were of the new certs hash. Saved it. When I imported it this time I got the correct certificate expiry.
What I assume is happening is MS exports all metadata for the application entry within azure/entra including historical certificate information and Pano/Palo couldn't parse through the different X509 entries within the xml, and only used the first cert shown (before I modified the metadata file, for signing, the old cert was listed first in the xml).
I can't push changes to prod until I do a change notice to my users. But I have that scheduled for next week and I will update this post if it DOESNT work (I am terrible at remembering to update my KBQs)
Thanks for the help Jay!
11-20-2025 08:54 AM
Hi @davies.ryan ,
I would triple-check which signing certificate is actually being sent inside the SAML metadata. When you import the metadata XML into Panorama/NGFW, it will only use whatever certificate Azure embeds in that file. So this tells me that somewhere within the Azure side, the old cert is still active.
You can also modify the cert within the SAML idp server profile. Once you import that xml data, the data is used to populate the server profile fields. If you open up that profile that has the old cert, you can change the idp cert to the new cert. **But once again, i would triple-check what cert is active on Azure. If metadata still populates with old cert, then its likely the certs will be mismatched.
As far as intune/GPO,there's no need to deploy anything to your endpoints. The SAML signing certificate is not a client-side trust cert. It’s used by Azure to sign the SAML assertion and the fw then validates that signature using the cert embedded in the metadata.
Hope this helps!! Please keep us updated on what you find.
11-20-2025 08:57 AM
Hey @davies.ryan ,
After looking over your screenshots, I do see that the signing certs show that the 2026 cert is active while the 2028 cert is inactive. If you can make the 2028/newer cert active, then that should be presented in the metadata for export.
11-20-2025 09:27 AM
I deleted the wrong idp showing 2026 still. Went onto azure, activated the new cert, redownloaded the metadata, and then reactivated the old cert that expires in 2026 (to not disrupt prod atm).
Reimported everything and it still shows up as 2026 expiry. I may have to open a case with MS I think.
I also tried just uploading the cert, once i imported the new idp profile, but it gave me the issuer/SN error when I tried importing the PEM.
This is frustrating lol. Thank you for the help!
11-20-2025 09:48 AM
Alright, got it fixed and working. You planted that nugget for me to end up figuring it out so thanks!
I ended up having to go into the metadata xml. I opened both certs in a window and compared the hashes to what was in the xml file. I found 3 entries for the old cert and removed them, and made sure the only X509 entries were of the new certs hash. Saved it. When I imported it this time I got the correct certificate expiry.
What I assume is happening is MS exports all metadata for the application entry within azure/entra including historical certificate information and Pano/Palo couldn't parse through the different X509 entries within the xml, and only used the first cert shown (before I modified the metadata file, for signing, the old cert was listed first in the xml).
I can't push changes to prod until I do a change notice to my users. But I have that scheduled for next week and I will update this post if it DOESNT work (I am terrible at remembering to update my KBQs)
Thanks for the help Jay!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
