PaloAlto PAN-OS firewall

Mak, Steve makst at
Tue Feb 18 08:07:30 EST 2020


We've successfully integrated a Palo Alto VPN with our Shibboleth IdP using SAML.

We also ran into that error in the PA admin console.

We determined that the PA admin console needed better documentation, but the end result was that the admin had to generate a new cert for authn REQUESTS.

It was not expecting the IdP cert in that step.  The PA console makes it seem like you need to give it the IdP's cert at that step, but it was asking for the cert it will use to sign the requests.  We found PA documentation that showed us how to generate a new cert in the admin console to use.

We originally thought that we needed to reissue our IdP cert which would have been a nightmare.  Before we decided to bite that bullet, we re-read the documentation because that seemed like a drastic thing to do.

Hope you find what you're looking for.

- Steve

From: users <users-bounces at> on behalf of Liam Hoekenga <liamr at>
Reply-To: Shib Users <users at>
Date: Monday, February 17, 2020 at 16:14
To: Shib Users <users at>
Subject: PaloAlto PAN-OS firewall

I'm working with a department on our campus that is trying to bring up Palo Alto Security appliances (PA-3020 and PA-7080).

The GUI cannot import the Shibboleth IDP metadata (for whatever reason), so we're trying the manual configuration route.  The latest error comes when they try to import the IDP's signing certificate:

"Only self-signed CA certificates can have identical subject and issue fields".

Has anyone here integrated with PAN-OS?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list