Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
GlobalProtect SAML Authentication failed with Error: Authentica... - Knowledge Base - Palo Alto Networks

GlobalProtect SAML Authentication failed with Error: Authentication Failed (Error code: -1)

37822
Created On 10/18/22 23:29 PM - Last Modified 10/19/22 00:30 AM


Symptom


SAML authentication with the SAML IdP is successful but the GlobalProtect App or web browser for GP Clientless VPN address shows authentication failed with the following message:


Authentication Failed
Please contact the administrator for further assistance
Error code: -1



Environment


GlobalProtect App
GlobalProtect Clientless VPN Portal
SAML Authentication


Cause


In general, the Authentication Failed Error Code -1 from SAML SP (GP Portal/Gateway firewall) happens when the firewall fails to read it SAML Response

One of these scenarios happens when the GP Portal/Gateway firewall cannot validate the SAML Response due to stale IdP Metadata with an expired or old certificate. The authd process shows a log that states Failure while validating the signature of SAML message received from the IdP ..., because the certificate in the SAML Message doesn't match the IDP certificate configured on the IdP Server Profile, for example, the following logs for this specific scenario:
 

2022-10-11 18:07:18.649 -0700 Received SAML Assertion from 'https://sts.windows.net/zzzzzzzzzzzzzzz-4c7c-b905-xxxxxxxxxxxxxx/' from client '10.1.1.1'
2022-10-11 18:07:18.649 -0700 debug: _extract_sso_attribute(pan_authd_saml_internal.c:526): Got attr name (username) "username" ; value "example-lab@----------";
...
...
2022-10-11 18:07:18.650 -0700 debug: _is_same_public_key(pan_authd_saml_internal.c:324): configured cert = MIIC8DCCAdigAwIBAgIQVL5TcdnLDbtBR92r32p6YTANBgkqhkiG9w0BAQsFADA0MTIwMA…
ne/hW8yBwjP8F1hnuRQFR2tXt
2022-10-11 18:07:18.650 -0700 debug: _is_same_public_key(pan_authd_saml_internal.c:325): received   cert = MIIC8DCCAdigAwIBAgIQLqCFsVA7VbtIqmJfj8lGxTANBgkqhkiG9w0BAQsFADA0MTIwMA…
GA8IKWDA/lao7FLiIKkWqhiAl
2022-10-11 18:07:18.650 -0700 Failure while validating the signature of SAML message received from the IdP "https://sts.windows.net/zzzzzzzzzzzzzzz-4c7c-b905-xxxxxxxxxxxxxx/", because the certificate in the SAML Message doesn't match the IDP certificate configured on the IdP Server Profile "Azure-IDP". (SP: "Global Protect"), (Client IP: 10.1.1.1), (vsys: vsys1), (authd id: 7132225947322817063), (user: example-lab@----------)

 



Resolution


1. Download the SAML IdP Metadata for the configured application. For example, Step 8 on the HOW TO SETUP AZURE SAML AUTHENTICATION WITH GLOBALPROTECT article

2. Import the SAML IdP Metadata on PANW firewall to create a SAML IdP Server Profile. For example, Steps to configure SAML authentication to use it for GlobalProtect Portal and Gateway section on the HOW TO SETUP AZURE SAML AUTHENTICATION WITH GLOBALPROTECT article 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZc8CAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language