SAML IdP certificate is no longer trusted after upgrading to 10.2.14

SAML IdP certificate is no longer trusted after upgrading to 10.2.14

3210
Created On 05/09/25 08:45 AM - Last Modified 06/26/25 20:53 PM


Symptom


  • Repeated authentication failures, preventing users from successfully accessing GlobalProtect or Firewall/Panorama Admin UI via SAML.
  • Issue consistently occurs after upgrading to PAN-OS 10.2.14 after 24 hours of a commit or authd process restart.
> less mp-log authd.log
....
-0700 SAML Assertion from IdP “http://www.okta.com/exkmghcc6sCe3K2ad5d7” (auth profile “testttt”) is signed by unknown signer 
“/C=US/ST=California/L=San Francisco/O=Okta/OU=SSOProvider/CN=dev-17886140/emailAddress=info@okta.com” and has been rejected
  • Similar errors can be viewed in System logs using the filter ( eventid eq 'saml-certificate-error' ) OR ( description contains 'is signed by unknown signer' )

Environment


  • Palo Alto Firewalls
  • PAN-OS 10.2.14 or 10.2.14-hx
  • SAML Authentication Profile

Cause


  • The root cause lies in expired certificate validation introduced in PAN-OS 10.2.14 via PAN-274650.
  • This change resulted in unexpected certificate validation behavior, leading to the rejection of the IdP's SAML Assertion.

Resolution


  1. Issue reported on PAN-287765 has been fixed in PAN-OS 10.2.15.
  2. Workarounds can be applied:
    1. Downgrade the firewall to PAN-OS 10.2.13-hx version.
    2. Deploy a new SAML server profile containing an IDP certificate signed by CA signed certificate for the IdP. For configuration, refer to the Additional Information section.

Note: Temporary workaround of downgrading the firewall to PAN-OS 10.2.13-hx does resolve the immediate issue; however, the firewall will show alerts to recommend the admins to validate the IdP certificate, as a security best practice. Therefore, the deployment of a CA signed certificate is strongly recommended.

Additional Information


Follow the steps below to create a CA signed certificate for the SAML IdP:

  • Use PAN-OS or any external tool to create a CA root certificate (pantac-lab-ca).
  • Sign a new certificate with this Root CA and upload to the IdP. Be sure that it's applied to your desired app.

Device certificates

  • Download the new metadata xml file (which should include the new certificate) and import to a new SAML server profile, ensuring "Validate Identity Provider Certificate" is enabled.

Import SAML server profile

  • Add the new Root CA to the certificate profile that must be assigned to the SAML authentication profile.

Certificate profile

  • Check that authentication completes successfully, even after 24 hours after commit or authd process restart.

SAML authentication profile
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000k9fyKAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail