Panorama Admin login fails with error "SAML Single-sign-on failed" when using Azure AD SAML Single Sign-on (SSO)

Panorama Admin login fails with error "SAML Single-sign-on failed" when using Azure AD SAML Single Sign-on (SSO)

50167
Created On 08/31/21 18:11 PM - Last Modified 11/19/22 04:17 AM


Symptom


  • Panorama GUI login fails to work with Azure-based Single Sign-on.
  • After entering the user and password in the Panorama login page, error message "SAML single-sign-on failed" is seen. 

User-added image

  • "Authentication failed for user" messages are seen under the Monitor tab for Panorama when using other working user. 

User-added image

Environment


  • Panorama
  • PAN-OS 10.0.4
  • Azure AD SSO (Azure Active Directory Single Sign-on)

Cause


Azure AD side, the "User type" of the user, is not matching the User type of the "adminrole" attribute, under the Single sign-on configuration. 

 

Resolution


  1. In Azure AD, at the following path, Home > Palo Alto Networks - Admin UI > (User), check the "User type" of the user. 

In the below example, it's set as "Member":

User-added image

 

  1. Confirm that under Home > Palo Alto Networks - Admin UI > Single sign-on > User Attributes &  Claims, we have created a new "User Attribute" called "adminrole":

User-added image

  1. Click on the Edit button for User Attributes & Claims and confirm that the User type for adminrole, matches the user type found in step # 1. They have to match.

User-added image

 
 

Additional Information
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004Lj6CAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language