Globalprotect and Shibboleth

Steven Teixeira steixeira at
Thu Jun 9 16:04:33 UTC 2022

So first off, get ready for some pain and suffering when it comes to PAN.  I don’t intend to scare you, and it’s totally something that can be implemented, but PAN makes things pretty difficult.

You’re getting that error because PAN requires that the “Subject Type=CA” basic restraint be included in the self-signed certificate.  Shibboleth doesn’t generate a self-signed certificate at install time with this constraint.  So you have to generate a certificate yourself with this constraint.  So you have a few options:

  1.  Generate a new self-signed certificate with that constraint outside of Shibboleth(like with openssl), and replace your existing certificate.  This is obviously very, very painful as you’ll have to deal with key rotations and notifying a lot of parties.  I don’t recommend this, but it’s an option.
  2.  Generate a new self-signed certificate with that constraint outside of Shibboleth(like with openssl), using that same key so at least your key is the same.  However, some SPs don’t do what they should and incorrectly look at the certificate instead of the just key it contains, so they’ll not like that you changed the certificate, even though it’s the same key.  So you’ll still have to notify and brace yourself for some fallout.
  3.  Generate a new self-signed certificate with that constraint outside of Shibboleth(like with openssl), and wire up your IdP to only use that certificate for PAN and no one else(or potentially for others than have this silly requirement, but I haven’t seen another yet).  How to do this should be documented somewhere, and I fortunately didn’t have to do this myself, so I’m not of much help there.  This option is more work for you, but is probably your best option since you don’t really have to worry about problems with existing SPs.

Sorry to be the bearer of bad news.  Also, you should be aware if you haven’t read it on this list already that currently, any Global Protect client above 5.2.8 has a bug if you’re choosing to use the provided/embedded browser where hitting the Enter key after providing credentials on your IdP’s login page will result in an error.  Clicking the “submit” button instead of using the Enter key is a (dumb) workaround.  I haven’t been following the issue closely, but I hear that PAN hasn’t been responsive to that issue either and they’re the ones who broke it in the first place.

Steven Teixeira

From: users <users-bounces at> On Behalf Of Steve Herrera via users
Sent: Thursday, June 9, 2022 8:07 AM
To: Shib Users <users at>
Cc: Steve Herrera <sherrera at>
Subject: Globalprotect and Shibboleth

CAUTION: This message originated from outside of Stanislaus State. Do not click on links or open attachments unless you recognize the sender and are expecting the message.

We use Palo Alto firewalls here and the Globalprotect client as the method for our users to VPN into campus. We are trying to get Globalprotect to use SAML. The first hurdle we are running into is uploading the Shibboleth self-signed certificate into the Palo Alto certificate profile. The error we get is:

Import failed. Only self signed CA certificates can have identical subject and issuer fields.

I have seen others posting about using Globalprotect and shibboleth on here. My question is, are you using the shibboleth self-signed certificate and were you able to import that into the Palo Alto? Or are you using a different certificate?  I have a ticket open with Palo but they have not been responsive.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list