Accounts were linked by creating Paloalto NGFW and Okta Saml2.0 Application. The GlobalProtect login method logs in with the Okta domain. This works really well. The login method is Always-on.
What I am curious about is that a user attempts to log in to Global Protect and enters a password to access it. However, if the Client PC is rebooted, a pop-up window for entering the password appears again. Is there any way to get rid of this and automatically log in?
... View more
I have refered the document too. However when I checked the logs, it seems to be the certificate problem.
[Test Process] 1) Generated a Self-signed CA from PAN FW and exported it. 2) Made a Okta SAML Application and enabled Single Logout. 3) Uploaded the Selfcertificate to Okta.
[Query] 1)Does this be authenticated through the certificate I have imported? 2)If we import a idp meta data although it's not a root CA and creates a certificate, then do we have to use this certificate?
... View more
I am trying to log in to the firewall admin ui using okta's saml2.0 authentication. OKTA created a new SAML2.0 application, and the certificate was linked by creating a Self Sign certificate in the firewall. However, when trying to log in to SSO, it redirects to the okta page, but when logging in, SSO Fail appears.
022-05-26 16:04:09.559 +0900 Failure while validating the signature of SAML message received from the IdP "http://www.okta.com/exk16pn7t7a8zHGEm697", because the certificate in the SAML Message doesn't match the IDP certificate configured on the IdP Server Profile "oktatest". (SP: "Administrator WebUI"), (Client IP: 10.50.102.56), (vsys: shared), (authd id: 7098494957807207197), (user: firstname.lastname@example.org) 2022-05-26 16:04:09.559 +0900 Error: _handle_signature(pan_authd_saml_internal.c:1603): _extract_x509cert_cmp_idp_cert_or_build_cr() 2022-05-26 16:04:09.559 +0900 Error: _parse_sso_response(pan_authd_saml.c:1480): _handle_signature() from IdP "http://www.okta.com/exk16pn7t7a8zHGEm697" 2022-05-26 16:04:09.559 +0900 Error: _handle_request(pan_authd_saml.c:2169): occurs in _parse_sso_response() 2022-05-26 16:04:09.559 +0900 SAML SSO authentication failed for user 'email@example.com'. Reason: SAML web single-sign-on failed. auth profile 'ywseookta', vsys 'shared', server profile 'oktatest', IdP entityID 'http://www.okta.com/exk16pn7t7a8zHGEm697', reply message 'SAML single-sign-on failed' From: 10.50.102.56. 2022-05-26 16:04:09.559 +0900 debug: _log_saml_respone(pan_auth_server.c:401): Sent PAN_AUTH_FAILURE SAML response:(authd_id: 7098494957807207197) (SAML err code "2" means SSO failed) (return username 'ywseo@ kakao.com') (auth profile 'ywseookta') (reply msg 'SAML single-sign-on failed') (NameID 'firstname.lastname@example.org') (SessionIndex '_9fb9d102aa025b3939bce9ed603a1208') (Single Logout enabled? 'No') (Is it CAS (cloud-auth-service)? 'No')
Here's the authd.log... what did I do wrong?
... View more