SAML Authentication with Cloud Identity Engine (CIE) is failed with "CSP ID mismatch" message in System Logs

SAML Authentication with Cloud Identity Engine (CIE) is failed with "CSP ID mismatch" message in System Logs

4485
Created On 06/12/24 01:40 AM - Last Modified 11/26/24 22:07 PM


Symptom


  • Authentication Profile is configured to use Cloud Identity Engine (CIE) as SAML provider.
  • Client Authentication fails with the following message in System Log (show log system) and authd.log.
Failed to parse CAS token from client 'xxx.xxx.xxx.xxx' from 'https://cloud-auth.jp.apps.paloaltonetworks.com/auth' with auth_session_id 
'********-****-****-****-************' : CSP ID mismatch (received AAA vs on-device BBB) for CAS profile "********-****-****-****-************" ; 
tenant "<TENANT_ID>" ; region "<REGION>" ; username "<USERNAME>"


 

Environment


  • Palo Alto Next Generation Firewalls (NGFW)
  • Cloud Identity Engine (CIE) is activated
  • Firewalls using CIE as SAML authentication provider

Cause


As displayed in the error message, the CSP ID associating CIE (AAA in above sample log message) and CSP ID cached locally by authd process (BBB in above sample log message) are different.

Resolution


This issue can be resolved by restarting authd process with following CLI command:

> debug software restart process authd

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000010z5HCAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language