Prisma Cloud SAML SSO Authentication Failing with error message "Unexpected value of required field SAML_DESTINATION_URI"

Prisma Cloud SAML SSO Authentication Failing with error message "Unexpected value of required field SAML_DESTINATION_URI"

12548
Created On 07/31/22 10:44 AM - Last Modified 07/31/22 10:52 AM


Symptom


  • Prisma Cloud SAML SSO Authentication Failing with error message "Unexpected value of required field SAML_DESTINATION_URI"
Following is an Example from a tenant hosted on stack 'app.ind':

1.png
 

Environment


  • Prisma Cloud
  • Identity Provider (IdP) supporting SAML SSO

Cause


  • There are mainly two URLs that need to be configured correctly on the IdP side.

Audience URI (SP Entity ID)
 
  • Can be copied from Prisma Cloud SSO page and is unique for your tenant. 
  • This is a read-only field in the format: https://app.prismacloud.io?customer=<string> to uniquely identify your instance of Prisma Cloud.
  • You require this value when you configure SAML on your IdP.

Reply URL (Assertion Consumer Service URL)
 
  • Depending on the location of your tenant, which is displayed in the login URL, replace ‘api’ with ‘api2’ or ‘api.eu’.
  • For example: https://api2.prismacloud.io/saml.

Error message "Unexpected value of required field SAML_DESTINATION_URI" is faced when the 'Reply URL' on the IdP side is misconfigured.

Resolution


  • Change the 'Reply URL' on the IdP side. 
For Example, if your tenant is hosted on app.ind, change the Reply URL to https://api.ind.prismacloud.io/saml

Screenshot 2022-07-31 at 6.39.58 PM.png

Additional Information
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000Cqz6CAC&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language