I was struggling with this too, but I went over the instructions again and I just found out that at the very first screen when you click the "SAML identity provider" at the bottom, you can click import. And that is where you upload the XLM file from the azure website and it will automatically create the profile and import you certificate as well. I followed the instructions from the support page. If you click too add the profile your self you went to far and the XML file will not work there as it will be giving the CA warning, I hope this helps.
https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/authentication/set-up-extern...
Export the SAML metadata file from the IdP to an endpoint that the firewall can access.
Refer to your IdP documentation for instructions on how to export the file.
SelectDevice
Server Profiles
SAML Identity Provider
Import
the metadata file onto the firewall.Enter a
Profile Name
to identify the server profile, such as
GP-User-Auth
.
Browse
for the metadata file.
(
Recommended
) Select
Validate Identity Provider Certificate
(default) so that the firewall validates the IdP certificate.
Validation occurs only after you assign the server profile to an authentication profile and
Commit
the changes. The firewall uses the certificate profile within the authentication profile to validate the certificate.
Enter the
Maximum Clock Skew
, which is the allowed system time difference (in seconds) between the IdP and the firewall when the firewall validates IdP messages. The default value is 60 seconds, and the range is 1 to 900 seconds. If the difference exceeds this value, authentication fails.
Click
OK
to save the server profile.
