Enable Validate Identity Provider Certificate with Azure AD using FW CA

68235

Created On 07/02/20 19:35 PM - Last Modified 09/21/21 00:40 AM

Admin Access

Captive Portal

GlobalProtect Gateway

GlobalProtect Portal

SAML

Authentication

Deployment

Device Management

8.1

9.0

9.1

GlobalProtect

Prisma Access

PAN-OS

Panorama

VM-Series

Symptom

To Secure SAML deployments form CVE-2020-2021 PAN-OS, Palo Alto Networks issued following documents which shared solutions without upgrading Firewall PAN-OS. For more details follow below link.

Securing your SAML Deployments
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK

Quick Summary:

Signed SAML Response: If the IdP you are using is ADFS, Azure AD, Google, OneLogin, PingFederate or PingOne, you do not need to take any action to send signed SAML responses or assertions. If you are using Okta or any other IdP, please check to see if you have configured your IdP to sign SAML responses or assertions. As a security best practice, you must configure your IdP to sign the SAML response, SAML assertion or both.

Enable Validate Identity Provider Certificate: In order to be able to enable the Validate Identity Provider Certificate checkbox, your IdP provider’s certificate must be issued by a Certificate Authority. Many popular identity providers generate self-signed IdP certificates by default but ADFS, Azure AD, Okta, Ping One, and OneLogin provide a way to use CA-issued IdP Certificates.

This article discusses solution to enable validate identity provider certificate without upgrading for SAML configuration with Azure AD.

Environment

If you are a Palo Alto Network customer and use SAML on your NGFW, VM-Series, Panorama devices, or on Prisma Access, you are IMPACTED by CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication.

NGFW, VM-Series
Panorama
GlobalProtect Portal/Gateway
Prisma Access
SAML

Cause

Palo Alto Networks recently became aware of an issue impacting PAN-OS features where SAML based authentication is used, which may allow a malicious attacker to authenticate successfully to various services without valid credentials. Impacted devices and software include the GlobalProtect Gateway, Portal, Clientless VPN, Captive Portal, Prisma Access, and PAN-OS and Panorama web management interfaces. The vulnerability requires specific configuration settings on PAN-OS to be enabled for successful exploitation. We believe the potential for impact is high and the required configuration may be common when single-sign-on providers like Okta are used.

Resolution

Azure AD

Steps to configure CA-issued certificate and enable Validate Identity Provider Certificate on PAN-OS

Step 1 - Add a CA-Issued certificate as IdP Certificate on Azure AD

Follow instructions from Azure AD to add a new CA-issued certificate https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-certificates-for-federated-single-sign-on#create-a-new-certificate
Please delete the old certificate before you export the IdP metadata to complete the next step.

Step 2 - Import metadata and enable “Validate Identity Provider Certificate” on PAN-OS

Once a CA-issued certificate has been set up on your IdP, you must re-register the IdP within PAN-OS and Panorama. To do this:

Ask your IdP administrator for IdP metadata
Import the IdP metadata into PAN-OS and/or Panorama and ensure that the Validate Identity Provider Certificate checkbox is enabled. Click OK
Create a Certificate Profile using the same CA certificate that has issued the IdP’s certificate
Add the newly created IdP Server Profile and Certificate Profile to your SAML Authentication Profile
Commit the configuration to Panorama and/or the firewall

Note: Generate a certificate using your enterprise Certificate Authority. Below Firewall is used to generate self signed certificate chain for this purpose.