SAML authentication failing with error: "Failure while validating the signature of SAML message received from the IdP"
27502
Created On 01/24/21 19:00 PM - Last Modified 03/05/21 02:36 AM
Symptom
SAML authentication fails and the following error message is seen:
Failure while validating the signature of SAML message received from the IdP, because the certificate
in the SAML Message doesn't match the IDP certificate configured on the IdP Server Profile.
Environment
- Any Palo Alto Firewall or Panorama.
- Any PAN-OS versions.
- SAML Configured.
Cause
When a user requests a service or application, the firewall or Panorama intercepts the request and redirects the user to the IdP for authentication. The IdP then authenticates the user and returns a SAML assertion. In this case, the IdP is sending an assertion with a certificate different from the certificate in the metadata file which was earlier imported into the firewall.
Resolution
- Export the SAML metadata file from the IdP to an endpoint that the firewall can access.
- Go to GUI: Device > Server Profiles > SAML Identity Provider.
- Click on the Import button at the bottom of the tab and select the metadata file to re-import the certificate from the IdP.
- Go to GUI: Device > Authentication Profile, find the profiles using the old SAML Identity Provider, and replace the old profile name with the new profile name.
- If the authentication still fails due to certificate errors after following the steps above, then generate new certificates on the IdP, make them active, and follow steps 1-4 again.