I was struggling with this too, but I went over the instructions again and I just found out that at the very first screen when you click the "SAML identity provider" at the bottom, you can click import. And that is where you upload the XLM file from the azure website and it will automatically create the profile and import you certificate as well. I followed the instructions from the support page. If you click too add the profile your self you went to far and the XML file will not work there as it will be giving the CA warning, I hope this helps. https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/authentication/set-up-external-authentication/set-up-saml-authentication Export the SAML metadata file from the IdP to an endpoint that the firewall can access. Refer to your IdP documentation for instructions on how to export the file. Select Device Server Profiles SAML Identity Provider . ---> Go the Botom and click import <--- Import the metadata file onto the firewall. Enter a Profile Name to identify the server profile, such as GP-User-Auth . Browse for the metadata file. ( Recommended ) Select Validate Identity Provider Certificate (default) so that the firewall validates the IdP certificate. Validation occurs only after you assign the server profile to an authentication profile and Commit the changes. The firewall uses the certificate profile within the authentication profile to validate the certificate. Enter the Maximum Clock Skew , which is the allowed system time difference (in seconds) between the IdP and the firewall when the firewall validates IdP messages. The default value is 60 seconds, and the range is 1 to 900 seconds. If the difference exceeds this value, authentication fails. Click OK to save the server profile.
... View more