How to renew SSO IDP Certificate

Below are the Pre-Requisites to edit SSO settings and renew IDP certificate:
 

1. You must have the Domain Administrator (DA) role in the CSP to be able to configure third-party Idp access for your account.
2. You must have admin access on the Identity Provider to update the SSO configuration details provided by Palo Alto Networks. 
3. You need one non-domain administrator (DA) account for verification.
4. Ensure the URLs below are accessible from your network.  You may need to work with your IT/Network team to whitelist these URLs.

                  https://accounts.paloaltonetworks.com/

                  https://accounts.api.paloaltonetworks.com/

1. Download the Base 64 certificate from your Identity Provider (IDP)
2. Login to the support portal - https://support.paloaltonetworks.com
3. Navigate to the Account Details page and click View Single-Sign-On Settings for your domain.
4. Take a backup of the existing identity provider certificate from the SSO settings
5. Copy and Paste the new Base64 IDP certificate (i.e downloaded from step1 from IDP) on the Identity provider certificate and save the configuration.
6. Test the SSO integration.
7. In case of issues revert the certificate changes and reach out to support - You can open an support case at https://support.paloaltonetworks.com. If you are unable to log in, please use the “Need Help?” option.

Q: What to do if the Domain Admin gets an error message below when they click "View Single-Sing-On Settings"?

A: This is because First name and Last name on the Domain Admin are missing from their SSO User information.
In order to update their First name and Last name, please update from Adminsite > UPDATE SSO USER INFORMATION.