09-16-2019 01:44 PM
We recently switched to using SAML (ADFS) authentication for connecting to our Global Protect Gateways. These GP Gateways have a SSL/TLS Service Profile with a certificate signed by a CA created within the PaloAlto firewall that serves as the portal.
This all still seems to still be the recommended setup at https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/get-started/enable-ssl-betwe...
Since we switched to SAML authentication, our Windows users will get certificate error popups. The errors occur after authentication has happened. Errors are for "Revocation information for the security certificate for this site is nto available" and then "The security certificate was issued by a company you have not chosen to trust...". Viewing the certificate shows it is the GP Gateway certificate. It seems the Global Protect client is doing a POST with the SAML authentication data to the firewall, but does not like the firewall's certificate. This is somewhat understandable given that the certificate is just signed by a CA on the firewall.
Is the best practice when using SAML to use a trusted third party certificate for all Global Protect Gateways?
Or Is there a way for Global Protect to trust the PaloAlto CA when doing the POST?
