PaloAlto PAN-OS firewall

Liam Hoekenga liamr at umich.edu
Tue Feb 18 10:43:01 EST 2020 

Hi Steve -

Were you able to import the IDP's metadata into the PA console?  Our user
had issues doing that (it complained it couldn't find an IDPSSODDescriptor
element), so we resorted to trying to configure the IDP manually.

Liam

On Tue, Feb 18, 2020 at 7:08 AM Mak, Steve <makst at upenn.edu> wrote:

> Liam,
>
>
>
> We've successfully integrated a Palo Alto VPN with our Shibboleth IdP
> using SAML.
>
>
>
> We also ran into that error in the PA admin console.
>
>
>
> We determined that the PA admin console needed better documentation, but
> the end result was that the admin had to generate a new cert for authn
> REQUESTS.
>
>
>
> It was not expecting the IdP cert in that step.  The PA console makes it
> seem like you need to give it the IdP's cert at that step, but it was
> asking for the cert it will use to sign the requests.  We found PA
> documentation that showed us how to generate a new cert in the admin
> console to use.
>
>
>
>
>
> We originally thought that we needed to reissue our IdP cert which would
> have been a nightmare.  Before we decided to bite that bullet, we re-read
> the documentation because that seemed like a drastic thing to do.
>
>
>
> Hope you find what you're looking for.
>
>
>
> - Steve
>
>
>
> *From: *users <users-bounces at shibboleth.net> on behalf of Liam Hoekenga <
> liamr at umich.edu>
> *Reply-To: *Shib Users <users at shibboleth.net>
> *Date: *Monday, February 17, 2020 at 16:14
> *To: *Shib Users <users at shibboleth.net>
> *Subject: *PaloAlto PAN-OS firewall
>
>
>
> I'm working with a department on our campus that is trying to bring up
> Palo Alto Security appliances (PA-3020 and PA-7080).
>
>
>
> The GUI cannot import the Shibboleth IDP metadata (for whatever reason),
> so we're trying the manual configuration route.  The latest error comes
> when they try to import the IDP's signing certificate:
>
>
>
> "Only self-signed CA certificates can have identical subject and issue
> fields".
>
>
>
> Has anyone here integrated with PAN-OS?
>
>
>
> Liam
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200218/f06aa7d7/attachment.html>

More information about the users mailing list