PaloAlto PAN-OS firewall

Mak, Steve makst at
Tue Feb 18 10:53:29 EST 2020

I don't really recall since it was several months ago, but it wouldn't surprise me if he had to manually enter the IdP details into the PA admin console.

From: users <users-bounces at> on behalf of Liam Hoekenga <liamr at>
Reply-To: Shib Users <users at>
Date: Tuesday, February 18, 2020 at 10:43
To: Shib Users <users at>
Subject: Re: PaloAlto PAN-OS firewall

Hi Steve -

Were you able to import the IDP's metadata into the PA console?  Our user had issues doing that (it complained it couldn't find an IDPSSODDescriptor element), so we resorted to trying to configure the IDP manually.


On Tue, Feb 18, 2020 at 7:08 AM Mak, Steve <makst at<mailto:makst at>> wrote:

We've successfully integrated a Palo Alto VPN with our Shibboleth IdP using SAML.

We also ran into that error in the PA admin console.

We determined that the PA admin console needed better documentation, but the end result was that the admin had to generate a new cert for authn REQUESTS.

It was not expecting the IdP cert in that step.  The PA console makes it seem like you need to give it the IdP's cert at that step, but it was asking for the cert it will use to sign the requests.  We found PA documentation that showed us how to generate a new cert in the admin console to use.

We originally thought that we needed to reissue our IdP cert which would have been a nightmare.  Before we decided to bite that bullet, we re-read the documentation because that seemed like a drastic thing to do.

Hope you find what you're looking for.

- Steve

From: users <users-bounces at<mailto:users-bounces at>> on behalf of Liam Hoekenga <liamr at<mailto:liamr at>>
Reply-To: Shib Users <users at<mailto:users at>>
Date: Monday, February 17, 2020 at 16:14
To: Shib Users <users at<mailto:users at>>
Subject: PaloAlto PAN-OS firewall

I'm working with a department on our campus that is trying to bring up Palo Alto Security appliances (PA-3020 and PA-7080).

The GUI cannot import the Shibboleth IDP metadata (for whatever reason), so we're trying the manual configuration route.  The latest error comes when they try to import the IDP's signing certificate:

"Only self-signed CA certificates can have identical subject and issue fields".

Has anyone here integrated with PAN-OS?

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list