About SeoYongwoon

SeoYongwoon · ‎08-30-2022

hello everyone Accounts were linked by creating Paloalto NGFW and Okta Saml2.0 Application. The GlobalProtect login method logs in with the Okta domain. This works really well. The login method is Always-on. What I am curious about is that a user attempts to log in to Global Protect and enters a password to access it. However, if the Client PC is rebooted, a pop-up window for entering the password appears again. Is there any way to get rid of this and automatically log in?

SeoYongwoon · ‎05-26-2022

I have refered the document too. However when I checked the logs, it seems to be the certificate problem. [Test Process] 1) Generated a Self-signed CA from PAN FW and exported it. 2) Made a Okta SAML Application and enabled Single Logout. 3) Uploaded the Selfcertificate to Okta. [Query] 1)Does this be authenticated through the certificate I have imported? 2)If we import a idp meta data although it's not a root CA and creates a certificate, then do we have to use this certificate?

SeoYongwoon · ‎05-26-2022

I saw this and did it. But there was a problem...T.T

SeoYongwoon · ‎05-26-2022

I am trying to log in to the firewall admin ui using okta's saml2.0 authentication. OKTA created a new SAML2.0 application, and the certificate was linked by creating a Self Sign certificate in the firewall. However, when trying to log in to SSO, it redirects to the okta page, but when logging in, SSO Fail appears. 022-05-26 16:04:09.559 +0900 Failure while validating the signature of SAML message received from the IdP "http://www.okta.com/exk16pn7t7a8zHGEm697", because the certificate in the SAML Message doesn't match the IDP certificate configured on the IdP Server Profile "oktatest". (SP: "Administrator WebUI"), (Client IP: 10.50.102.56), (vsys: shared), (authd id: 7098494957807207197), (user: ywseo@kakao.com) 2022-05-26 16:04:09.559 +0900 Error: _handle_signature(pan_authd_saml_internal.c:1603): _extract_x509cert_cmp_idp_cert_or_build_cr() 2022-05-26 16:04:09.559 +0900 Error: _parse_sso_response(pan_authd_saml.c:1480): _handle_signature() from IdP "http://www.okta.com/exk16pn7t7a8zHGEm697" 2022-05-26 16:04:09.559 +0900 Error: _handle_request(pan_authd_saml.c:2169): occurs in _parse_sso_response() 2022-05-26 16:04:09.559 +0900 SAML SSO authentication failed for user 'ywseo@kakao.com'. Reason: SAML web single-sign-on failed. auth profile 'ywseookta', vsys 'shared', server profile 'oktatest', IdP entityID 'http://www.okta.com/exk16pn7t7a8zHGEm697', reply message 'SAML single-sign-on failed' From: 10.50.102.56. 2022-05-26 16:04:09.559 +0900 debug: _log_saml_respone(pan_auth_server.c:401): Sent PAN_AUTH_FAILURE SAML response:(authd_id: 7098494957807207197) (SAML err code "2" means SSO failed) (return username 'ywseo@ kakao.com') (auth profile 'ywseookta') (reply msg 'SAML single-sign-on failed') (NameID 'ywseo@kakao.com') (SessionIndex '_9fb9d102aa025b3939bce9ed603a1208') (Single Logout enabled? 'No') (Is it CAS (cloud-auth-service)? 'No') Here's the authd.log... what did I do wrong?

Member Since	‎03-31-2022 12:06 AM
Date Last Visited	‎10-12-2022 03:59 AM
Posts	4

Online Status	Offline
Date Last Visited	‎10-12-2022 03:59 AM

About SeoYongwoon

GlobalProtect Login with okta

Re: paloalto login method using okta saml authentication

Re: paloalto login method using okta saml authentication

paloalto login method using okta saml authentication

Re: GlobalProtect Login with okta

Command related inquiries(debug device-server dump pan-url-db statistics)

GlobalProtect Login with okta

Re: paloalto login method using okta saml authentication

Re: paloalto login method using okta saml authentication

paloalto login method using okta saml authentication