GlobalProtect SAML Authentication failed with Error: Authentication Failed (Error code: -1)
Symptom
SAML authentication with the SAML IdP is successful but the GlobalProtect App or web browser for GP Clientless VPN address shows authentication failed with the following message:
Authentication Failed
Please contact the administrator for further assistance
Error code: -1
Environment
GlobalProtect App
GlobalProtect Clientless VPN Portal
SAML Authentication
Cause
In general, the Authentication Failed Error Code -1 from SAML SP (GP Portal/Gateway firewall) happens when the firewall fails to read it SAML Response
One of these scenarios happens when the GP Portal/Gateway firewall cannot validate the SAML Response due to stale IdP Metadata with an expired or old certificate. The authd process shows a log that states Failure while validating the signature of SAML message received from the IdP ..., because the certificate in the SAML Message doesn't match the IDP certificate configured on the IdP Server Profile, for example, the following logs for this specific scenario:
2022-10-11 18:07:18.649 -0700 Received SAML Assertion from 'https://sts.windows.net/zzzzzzzzzzzzzzz-4c7c-b905-xxxxxxxxxxxxxx/' from client '10.1.1.1' 2022-10-11 18:07:18.649 -0700 debug: _extract_sso_attribute(pan_authd_saml_internal.c:526): Got attr name (username) "username" ; value "example-lab@----------"; ... ... 2022-10-11 18:07:18.650 -0700 debug: _is_same_public_key(pan_authd_saml_internal.c:324): configured cert = MIIC8DCCAdigAwIBAgIQVL5TcdnLDbtBR92r32p6YTANBgkqhkiG9w0BAQsFADA0MTIwMA… ne/hW8yBwjP8F1hnuRQFR2tXt 2022-10-11 18:07:18.650 -0700 debug: _is_same_public_key(pan_authd_saml_internal.c:325): received cert = MIIC8DCCAdigAwIBAgIQLqCFsVA7VbtIqmJfj8lGxTANBgkqhkiG9w0BAQsFADA0MTIwMA… GA8IKWDA/lao7FLiIKkWqhiAl 2022-10-11 18:07:18.650 -0700 Failure while validating the signature of SAML message received from the IdP "https://sts.windows.net/zzzzzzzzzzzzzzz-4c7c-b905-xxxxxxxxxxxxxx/", because the certificate in the SAML Message doesn't match the IDP certificate configured on the IdP Server Profile "Azure-IDP". (SP: "Global Protect"), (Client IP: 10.1.1.1), (vsys: vsys1), (authd id: 7132225947322817063), (user: example-lab@----------)
Resolution
1. Download the SAML IdP Metadata for the configured application. For example, Step 8 on the HOW TO SETUP AZURE SAML AUTHENTICATION WITH GLOBALPROTECT article
2. Import the SAML IdP Metadata on PANW firewall to create a SAML IdP Server Profile. For example, Steps to configure SAML authentication to use it for GlobalProtect Portal and Gateway section on the HOW TO SETUP AZURE SAML AUTHENTICATION WITH GLOBALPROTECT article