Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
SAML Authentication fails with Google IDP with certificate mism... - Knowledge Base - Palo Alto Networks

SAML Authentication fails with Google IDP with certificate mismatch error

6616
Created On 10/13/21 11:20 AM - Last Modified 08/25/22 03:51 AM


Symptom


  • SAML authentication is configured for global protect users with Prisma Access or Palo Alto Strata Firewall.
  • The initial SAML redirection works followed by user using their credentials with IDP and then an error message is displayed.
Google-IDP-Error


Environment


  • Prisma Access for Mobile users running 9.1 or above
  • Palo Alto Strata Firewall
  • PAN-OS 9.1 or above
  • Global Protect configured.


Cause


  • The authentication here fails due to the incorrect certificate being returned by IDP resulting in a mismatch. 
  • The authd logs in dump mode (Refer additonal section) shows the sequence and the failure details.
 
2021-10-13 18:06:34.696 +0800 debug: _is_same_public_key(pan_authd_saml_internal.c:340): configured cert = MIIDdDCCAl

received   cert = MIIDdDCCAlygAwIBAgIGAXw1oCefMA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJ
0N+B2021-10-13 18:06:34.696 +0800 Failure while validating the signature of
SAML message received from the IdP "https://accounts.google.com/o/saml2?idpid=xxxxxxx", because the certificate in the SAML Message doesn't match the
 IDP certificate configured on the IdP Server Profile "saml_IDP_111111111111". (SP: "Global Protect"), (Client IP: 1.1.1.1), (vsys: vsys1), (authd id: 
7010347857933132787), (user: user1@domain.com)

The log snippet above is truncated intentionally.
  • When the IDP provides metadata, they include 2 certificates. Palo Alto will use the first certificate by default for SAML messages.
  • But the IDP in this case is using the second certificate and that's where the authentication fails. 


Resolution


There are 2 ways to fix this. 
  1. Contact the IDP or IDP admin and change the certificate sequence to use second certificate. (Recommended) 
  2. Copy the metadata.xml file and modify it to replace second certificate with 1st one and vice versa. Import this file now in the authentication profile followed by commit. 

Note1: This is not an issue on the Palo Alto. Second step is used as a workaround to match the second certificate in use by the IDP.
Note2: Metadata file is downloaded from IDP and imported to the Firewall. Refer Step 5 of the link for more details.


Additional Information


  • To identify which certificate is in use, Open the metadata.xml file which contains the certificate.
  • Compare the certificate with the authd logs to identify the correct one in use. It will always be the first one from metadata file. 
  • The authd logs will truncate some part of the certificate text which is expected. Match the remaining text with the file.
Commands to change debug auth level.
debug authentication show     >>> Provides the current level of debug.
authd debug level: debug      >>> current level of debug
debug authentication on dump  >>> Debug set to dump level
debug authentication on debug >>> Debug set to normal level after investigation

 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004Lz9CAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language