PaloAlto PAN-OS firewall

[Mak, Steve]

Liam,

We've successfully integrated a Palo Alto VPN with our Shibboleth IdP using SAML.

We also ran into that error in the PA admin console.

We determined that the PA admin console needed better documentation, but the end result was that the admin had to generate a new cert for authn REQUESTS.

It was not expecting the IdP cert in that step.  The PA console makes it seem like you need to give it the IdP's cert at that step, but it was asking for the cert it will use to sign the requests.  We found PA documentation that showed us how to generate a new cert in the admin console to use.


We originally thought that we needed to reissue our IdP cert which would have been a nightmare.  Before we decided to bite that bullet, we re-read the documentation because that seemed like a drastic thing to do.

Hope you find what you're looking for.

- Steve

From: users <users-bounces at shibboleth.net> on behalf of Liam Hoekenga <liamr at umich.edu>
Reply-To: Shib Users <users at shibboleth.net>
Date: Monday, February 17, 2020 at 16:14
To: Shib Users <users at shibboleth.net>
Subject: PaloAlto PAN-OS firewall

I'm working with a department on our campus that is trying to bring up Palo Alto Security appliances (PA-3020 and PA-7080).

The GUI cannot import the Shibboleth IDP metadata (for whatever reason), so we're trying the manual configuration route.  The latest error comes when they try to import the IDP's signing certificate:

"Only self-signed CA certificates can have identical subject and issue fields".

Has anyone here integrated with PAN-OS?

Liam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200218/8d5065fb/attachment.html>