Third Party IDP: Update SAML Request Signing Certificate
Environment
Third Party IDP
Resolution
-
Summary
-
New Ping SAML Request Signing Certificate
-
FAQs
- We have already migrated to Okta recently. Am I still required to renew the certificate?
- We don’t verify SAML Authn Requests on the Idp. Am I still required to renew the certificate?
- We are verifying the SAML Authn Requests on IDP. Will there be any outage after December 9, 2022 if we dont renew it by then?
- Who do I contact if I run into SSO issues after migration?
Summary
3rd party IdP (Identity Provider) integration allows customers to access Palo Alto Networks services using their own IdP. This document covers details on how to renew the SAML Request Signing certificate on the IDP.
The Ping SAMLRequest signing certificate expires on December 9, 2022. If you are currently enrolled in the third-party IdP integration with configured signed assertions, please take one of the actions outlined below.
If you have configured signed assertions, there are two options available that will prevent you from losing access to Palo Alto Networks resources. Palo Alto Networks strongly encourages that you follow Option 1, as this will allow you to skip Option 2.
- Migrate to OKTA: Please follow the step-by-step instructions found in this KB article. If this is performed, Option 2 is NOT required.
- Update the PingFederate certificate.
- Before December 9, 2022: You can schedule a working session to avoid any service interruptions. Please schedule a working session with our support team using this calendar link.
- After December 9, 2022: Palo Alto Networks will renew the certificate on the service provider (Ping) for all the IDP connections. Download the certificate provided below and upload it on your identity provider
New Ping SAML Request Signing Certificate
Copy the certificate below and save it as .cer or .crt to upload on your Identity Provider. You can also copy and paste the contents of the certificate if your IDP allows it.
|
FAQs
We have already migrated to Okta recently. Am I still required to renew the certificate?
No. If you have already followed our KB article to migrate to Okta, no further action is required from you. You won’t be impacted.
We don’t verify SAML Authn Requests on the Idp. Am I still required to renew the certificate?
No. If you are not verifying the SAML Authn Request signature, no further action is required from you. You won’t be impacted
We are verifying the SAML Authn Requests on IDP. Will there be any outage after December 9, 2022 if we don't renew it by then?
Yes, if you don't renew the certificate by Dec 9th, 2022 you will not be able to login to Palo Alto Networks websites.
Who do I contact if I run into SSO issues after migration?
If you have issues, please open a case at https://support.paloaltonetworks.com. If you are unable to log in, please use the “Need Help?” option.