Why is there no option to test SAML Authentication Profile from the CLI?

> test authentication authentication-profile ?

• Palo Alto Networks Firewall or Panorama
• PAN-OS 8.1 and above
• SAML Authentication Profiles

It is not possible to test a SAML authentication profile from the CLI due to the way SAML works.

SAML Authentication flow:

1. Client connects to the Firewall (Service Provider or SP) and requests an Application
2. Firewall redirects client to an Identity Provider (IdP) configured in the Authentication Policy
3. User authenticates directly with the IdP
4. IdP returns a SAML Assertion to the Client
5. Client forwards the SAML Assertion to the Firewall
6. Firewall validates the SAML Assertion
7. Firewall grants access to the Application based on policy

As can be seen in this flow, the firewall is not the entity that performs the actual authentication it is only the Service Provider (SP). Instead, the client is redirected to the Identity Provider's (IdP) to authenticate directly.

It is not possible for the firewall to broker this entire process due to the direct authentication between Client and IdP.  Because of this, SAML profiles will not be shown as an option in the CLI command:

> test authentication authentication-profile ?

• SAML workflow: 
• How to configure SAML

10 Mar 25 (Vijay) - Article reviewed with Chris and published external.