SAML IdP Metadata import fails with error message “Failed to parse IDP Metadata” due to expired IdP certificate

SAML IdP Metadata import fails with error message “Failed to parse IDP Metadata” due to expired IdP certificate

23784
Created On 10/25/22 18:09 PM - Last Modified 01/06/25 17:58 PM


Symptom


  • Idp Metadata XML file upload failed when setting up the SAML IDP server profile on the Palo Alto Networks firewall and Panorama
GUI: Device > Server Profiles > SAML Identity Provider > Import > Identity Provider Metadata
SAML identify provider server profile import

Environment

Cause


Expired SAML Certificate (seen in less mp-log configd.log) 
Error:  insert_cert_by_path(pan_ops_common_auth.c:1102): Certificate is expired  
Error:  insert_idp_metadata_by_path_or_content(pan_ops_common_auth.c:2070): Import of certificate failed.

Resolution


  1. Renew the SAML certificate and re-download the Federation metadata XML from the provider.
  2. Use the step 2-2 of Configure SAML Authentication.
  3. Limit the profile name to less than or equal to 31 characters.
Example of using Azure as an IDP provider
2022-10-25 13_42_57-2022-10-25 10_14_22-SAML Signing Certificate - Microsoft Azure.png ‎- Photos.png

Additional Information


Certificate import error - Failed to parse IDP Metadata (due to profile name having more than 31 characters)
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kEk1CAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language