SAML Authentication fails with Google IDP with certificate mismatch error
6616
Created On 10/13/21 11:20 AM - Last Modified 08/25/22 03:51 AM
Symptom
- SAML authentication is configured for global protect users with Prisma Access or Palo Alto Strata Firewall.
- The initial SAML redirection works followed by user using their credentials with IDP and then an error message is displayed.
Environment
- Prisma Access for Mobile users running 9.1 or above
- Palo Alto Strata Firewall
- PAN-OS 9.1 or above
- Global Protect configured.
Cause
- The authentication here fails due to the incorrect certificate being returned by IDP resulting in a mismatch.
- The authd logs in dump mode (Refer additonal section) shows the sequence and the failure details.
2021-10-13 18:06:34.696 +0800 debug: _is_same_public_key(pan_authd_saml_internal.c:340): configured cert = MIIDdDCCAl
received cert = MIIDdDCCAlygAwIBAgIGAXw1oCefMA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJ
0N+B2021-10-13 18:06:34.696 +0800 Failure while validating the signature of
SAML message received from the IdP "https://accounts.google.com/o/saml2?idpid=xxxxxxx", because the certificate in the SAML Message doesn't match the
IDP certificate configured on the IdP Server Profile "saml_IDP_111111111111". (SP: "Global Protect"), (Client IP: 1.1.1.1), (vsys: vsys1), (authd id:
7010347857933132787), (user: user1@domain.com)
The log snippet above is truncated intentionally.
- When the IDP provides metadata, they include 2 certificates. Palo Alto will use the first certificate by default for SAML messages.
- But the IDP in this case is using the second certificate and that's where the authentication fails.
Resolution
There are 2 ways to fix this.
- Contact the IDP or IDP admin and change the certificate sequence to use second certificate. (Recommended)
- Copy the metadata.xml file and modify it to replace second certificate with 1st one and vice versa. Import this file now in the authentication profile followed by commit.
Note1: This is not an issue on the Palo Alto. Second step is used as a workaround to match the second certificate in use by the IDP.
Note2: Metadata file is downloaded from IDP and imported to the Firewall. Refer Step 5 of the link for more details.
Additional Information
- To identify which certificate is in use, Open the metadata.xml file which contains the certificate.
- Compare the certificate with the authd logs to identify the correct one in use. It will always be the first one from metadata file.
- The authd logs will truncate some part of the certificate text which is expected. Match the remaining text with the file.
debug authentication show >>> Provides the current level of debug.
authd debug level: debug >>> current level of debug
debug authentication on dump >>> Debug set to dump level
debug authentication on debug >>> Debug set to normal level after investigation