Setting up SAML authentication for the first time from a new Azure instance and having multiple issues. I had an idea how it would work, that Azure would provide an internal CA and SAML gateway (IDP) certificate, and then assign us a certificate (w/private key) to use on the firewall. However, we are only getting a self-signed certificate for the IDP. This makes all the certificate loading/profiles on the PA fail (can't manually load a self-signed certificate, have no CA to assign to a profile, etc.).
Do people normally run Azure SAML with a CA chain and certificates for endpoints? Or do you normally run with certificate signing and validation to the IDP turned off?
The default settings when setting up a SAML server is for "Validate Identity Provider Certificate", but the PA documentation shows the authentication profile as have "none" for "Certificate for signing Requests" and "Certificate Profile", which causes a confusing error on trying to save. There is a brief, easy to miss note in the PA documentation and this previous post that explain it:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!