Troubleshooting SAML SSO setup on Prisma Cloud

Troubleshooting SAML SSO setup on Prisma Cloud

10518
Created On 09/28/21 15:48 PM - Last Modified 06/22/22 09:48 AM


Objective


How to Troubleshoot SAML SSO setup on Prisma Cloud

Environment


Prisma Cloud –  SaaS
 

Procedure


SSO troubleshooting steps are as follows:
  1. Mandatory fields on Prisma Cloud side are set correctly
    1. Required fields: 
      1. Identity Provider Issuer
      2. Certificate
      3. IF JIT is enabled, then all the fields except timezone are required as well
  2. SSO enabled - NOTE: make sure you have at least a system admin level user in the bypass drop down before enabling.
Now onto the common errors…
Error -1

image.png

Cause - 1
  1. Issuer mismatch between Prisma Cloud SSO settings and IdP.  
    1. Best way to solve is to get a copy of the assertion via DevTools or browser plugin like SAML Message Decoder. 
    2. <saml:Issuer>https://ec2-3-82-156-173.compute-1.amazonaws.com/simplesaml/saml2/idp/metadata.php</saml:Issuer>
    3. From Prisma Cloud SSO page: https://ec2-18-206-64-139.compute-1.amazonaws.com/simplesaml/saml2/idp/metadata.php
 =======================================================================================

Error -2

image.png

Cause: 2
  1. SSO disabled in Prisma Cloud
================================================================================

Error -3
 

 
Cause: 3
  1. Certificate in Prisma Cloud SSO section does not match the signature being provided in assertion.  The certificate is often sent in the assertion so this is a good place to validate as well.
 =========================================================================
Error -4

 
Cause: 4
  1. Missing attribute values in the assertion
  2. JIT attribute key mapping incorrect/mismatch
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMYeCAM&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language