SAML authentication is failing with the error 'SAML Assertion from IdP is signed by unknown signer and has been rejected'

SAML authentication is failing with the error 'SAML Assertion from IdP is signed by unknown signer and has been rejected'

8057
Created On 03/04/23 13:20 PM - Last Modified 10/05/23 23:25 PM


Symptom


  • SAML is configured with Azure AD as the IDP (Identity Provider).
  • System logs (show log system) display the SAML (Security Assertion Markup Language) authentication failing for Global Protect with the error below 
    SAML Assertion from IdP "https://xyz.windows.net/xxxxx-xxxx-xxx-xxx-xxx/" (auth profile "Azure-SAML") is signed by unknown signer "/CN=IDP CA" and has been rejected

Environment


  • Palo Alto Networks Strata firewalls
  • Prisma Access 
  • SAML authentication is configured for GlobalProtect
  • Azure AD as IDP

Cause


  • This is caused by the configuration in SAML IdP server profile where the checkbox for "Validate Identity Provider Certificate " is checked.
  • In this case, the firewall or Prisma Access will use the CA certificate from certificate profile selected in the Authentication profile to validate the IDP certificate.
  • If the option is checked, the IDP certificate must be singed by a CA (Certificate Authority) which is then imported in the Panorama/Firewall and used in the corresponding certificate profile.

Resolution


  1. If the IDP certificate in use is not signed by a CA certificate, uncheck the "Validate Identity Provider Certificate"
  2. Follow the detailed Azure AD SAML documentation for more details. This document is for Prisma Access but the Azure side of the configuration for importing the CA signed configuration is same for Strata firewall deployments as well. 

Additional Information


Authd.logs for Firewall deployments in case of failure clearly indicating the Firewall failing to validate the SAML assertion signer. 
2023-03-04 02:35:57.547 -0500 SAML Assertion from IdP "https://xyz.windows.net/xxxxx-xxxx-xxx-xxx-xxx/" (auth profile "Azure-SAML") is signed by unknown signer "/CN=IDP CA" and has been rejected.
2023-03-04 02:35:57.547 -0500 Error:  _parse_sso_response(pan_authd_saml.c:1479): _handle_signature() from IdP "https://xyz.windows.net/xxxxx-xxxx-xxx-xxx-xxx/"
2023-03-04 02:35:57.547 -0500 Error:  _handle_request(pan_authd_saml.c:2106): occurs in _parse_sso_response()
2023-03-04 02:35:57.548 -0500 SAML SSO authentication failed for user 'user@company.com'.  Reason: SAML web single-sign-on failed. auth profile 'Azure-SAML', vsys 'vsys1', server profile 'Azure-SAML', IdP entityID 'https://xyz.windows.net/xxxxx-xxxx-xxx-xxx-xxx/', reply message 'SAML single-sign-on failed' From: x.x.x.x
2023-03-04 02:35:57.548 -0500 debug: _log_saml_respone(pan_auth_server.c:355): Sent PAN_AUTH_FAILURE SAML response:(authd_id: 71108xxxxxxxxxxxxxx) (SAML err code "2" means SSO failed) (return username 'user@company.com') (auth profile 'Azure-SAML') (reply msg 'SAML single-sign-on failed') (NameID 'user@company.com') (SessionIndex '_xxxxxxxx-xxxx-xxxx-xxxx-40fad0b10d00') (Single Logout enabled? 'No')

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kHCqCAM&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail