SAML authentication fails after upgrading to PAN-OS 10.1 in a mutli-vsys environment

SAML authentication fails after upgrading to PAN-OS 10.1 in a mutli-vsys environment

7545
Created On 07/29/22 13:00 PM - Last Modified 04/22/24 07:42 AM


Symptom


SAML Authentication fails after upgrading the firewall to PAN-OS 10.1 in a mutli-vsys environment

Environment


  • Panorama Managed Firewall or Standalone Firewall.
  • PAN-OS 10.1 and above.
  • SAML authentication profile pushed from Panorama and is in a shared location or local SAML authentication profile in a shared location.
  • GlobalProtect authentication.
  • Authentication Portal.

Cause


  • The authentication fails as it is referring to vsys1 whereas the SAML authentication profile is in a shared location when pushed from Panorama
  • For example, below is the username and SAML authentication profile used in the configuration:
    • User: user1@testlab.com
    • SAML Authentication Profile: SAML-Auth-Profile
  • In the authd.log below, the SAML authentication profile SAML-Auth-Profile is referring to vsys1 but the profile is in the shared location
> tail follow yes mp-log authd.log

debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:786): user "user1@testlab.com" is NOT 
in allow list of auth prof/vsys "SAML-Auth-Profile/shared" (vsys in request "vsys1")
  • Same is observed if the SAML authentication profile SAML-Auth-Profile is configured locally on the firewall
> tail follow yes mp-log authd.log

-0700 debug: pan_auth_saml_resp_process(pan_auth_state_engine.c:5410): Check allow list status for user1@testlab.com (SAML-Auth-Profile/vsys1)
-0700 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:786): user "user1@testlab.com" is NOT in allow list of auth prof/vsys 
"SAML-Auth-Profile/vsys1"  (vsys in request "vsys1")
-0700 Error:  pan_allowlist_request_process(pan_auth_allow_lock.c:77): Failed to get allow list status for user user1@testlab.com/vsys1/SAML-Auth-Profile
-0700 SAML SSO authentication failed for user 'user1@testlab.com'.  Reason: User is not in allowlist. 
auth profile 'SAML-Auth-Profile', vsys 'vsys1', server profile 'SAML-Auth-Profile', IdP entityID 'http://www.okta.com/exk3q4flalZkFtUca357', reply message 
'User "user1@testlab.com" is not in allow list' From: 192.168.0.150.
-0700 debug: _log_saml_respone(pan_auth_server.c:397): Sent PAN_AUTH_FAILURE SAML response:(authd_id: 7215373786869138305) (SAML err code "1" 
means NOT in allow list) (return username 'user1@testlab.com') (auth profile 'SAML-Auth-Profile') (reply msg 'User "user1@testlab.com" 
is not in allow list') (NameID 'user1@testlab.com') (SessionIndex '_d00ed823038ada878bdfe4f69dea5755') (Single Logout enabled? 'Yes')
 (Is it CAS (cloud-auth-service)? 'No')

Resolution


  1. The issue is fixed in PAN-190454 and available in PAN-OS 10.2.4, 10.1.9, 11.0.1
  2. Upgrade to the fixed version resolves the issue.


Workaround: Change the location of the SAML authentication profile from shared to a specific target vsys where it is invoked
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000Cqu1CAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language