SAML single-sign-on failed
55184
Created On 04/01/21 19:06 PM - Last Modified 09/28/21 02:56 AM
Symptom
- Users cannot log into the firewall/panorama using Single Sign On (SSO).
- The error message is received as follows.
SSO Response Status
Status: Failed
SAML single-sign-on failed
Environment
- Any Palo Alto Firewall or Panorama
- Any PAN-OS.
- Single Signon configured using Okta.
Cause
- From authentication logs (authd.log), the relevant portion of the log below indicates the issue:
.... username: entered "john_doe@abc.com" != returned "John_Doe@abc.com" from IdP "http://www.okta.com/xxxx" -> reject SAML auth due to security concerns
.... Error: _handle_request(pan_authd_saml.c:2102): occurs in _parse_sso_response()
Sent PAN_AUTH_FAILURE SAML response:(authd_id: 6923201339409303840) (SAML err code "2" means SSO failed) (return username 'John_Doe@abc.com')
- The username value used in SAML assertion is case-sensitive.
- In this case, the customer must use the same format that was entered in the SAML NameID attribute.
- Error code 2 - "SAML Validation (IdP does not know how to process the request as configured") “ incorrect # or unsigned issuers in response or an incorrect nameID format specified. This information was found in this link: SSO Setup Guides: Login Error Codes by SSO Type
Resolution
- Step 1 - Verify what username format is expected on the SP side.
- Step 2 - Verify what username Okta is sending in the assertion.
"You can verify what username the Okta application is sending by navigating to the application's "Assignments" tab and clicking the pencil icon next to an affected user. This will display the username that is being sent in the assertion, and will need to match the username on the SP side."
Note: This information is taken from the OKTA Support Page.