Globalprotect and Shibboleth

Steve Herrera sherrera at
Thu Jun 9 16:19:11 UTC 2022

Thank you for that response and for including the options. We also thought
of options 1 and 2 and knew it would be painful. We also use openssl a lot.
We actually built our own CA for campus usage with openssl and pushed out
the root certificate with GPO so clients machines trust the certificate.
This is only used for internal use.  I did not know about option 3. That
will be something I will be looking into. I had heard about the Global
Protect client issue with 5.2.8 on this forum. So I will definitely have to
let our service desk know. Hopefully PA gets it figured out soon.

Thank you

Steve Herrera
Information Security
Bradley University
Phone: 309 / 677-2336
FAX: 309 / 677-3460
Email:  *sherrera at <sherrera at>*

On Thu, Jun 9, 2022 at 11:05 AM Steven Teixeira <steixeira at>

> So first off, get ready for some pain and suffering when it comes to PAN.
> I don’t intend to scare you, and it’s totally something that can be
> implemented, but PAN makes things pretty difficult.
> You’re getting that error because PAN requires that the “Subject Type=CA”
> basic restraint be included in the self-signed certificate.  Shibboleth
> doesn’t generate a self-signed certificate at install time with this
> constraint.  So you have to generate a certificate yourself with this
> constraint.  So you have a few options:
>    1. Generate a new self-signed certificate with that constraint outside
>    of Shibboleth(like with openssl), and replace your existing certificate.
>    This is obviously very, very painful as you’ll have to deal with key
>    rotations and notifying a lot of parties.  I don’t recommend this, but it’s
>    an option.
>    2. Generate a new self-signed certificate with that constraint outside
>    of Shibboleth(like with openssl), using that same key so at least your key
>    is the same.  However, some SPs don’t do what they should and incorrectly
>    look at the certificate instead of the just key it contains, so they’ll not
>    like that you changed the certificate, even though it’s the same key.  So
>    you’ll still have to notify and brace yourself for some fallout.
>    3. Generate a new self-signed certificate with that constraint outside
>    of Shibboleth(like with openssl), and wire up your IdP to only use that
>    certificate for PAN and no one else(or potentially for others than have
>    this silly requirement, but I haven’t seen another yet).  How to do this
>    should be documented somewhere, and I fortunately didn’t have to do this
>    myself, so I’m not of much help there.  This option is more work for you,
>    but is probably your best option since you don’t really have to worry about
>    problems with existing SPs.
> Sorry to be the bearer of bad news.  Also, you should be aware if you
> haven’t read it on this list already that currently, any Global Protect
> client above 5.2.8 has a bug if you’re choosing to use the
> provided/embedded browser where hitting the Enter key after providing
> credentials on your IdP’s login page will result in an error.  Clicking the
> “submit” button instead of using the Enter key is a (dumb) workaround.  I
> haven’t been following the issue closely, but I hear that PAN hasn’t been
> responsive to that issue either and they’re the ones who broke it in the
> first place.
> Steven Teixeira
> *From:* users <users-bounces at> *On Behalf Of *Steve Herrera
> via users
> *Sent:* Thursday, June 9, 2022 8:07 AM
> *To:* Shib Users <users at>
> *Cc:* Steve Herrera <sherrera at>
> *Subject:* Globalprotect and Shibboleth
> *CAUTION: *This message originated from outside of Stanislaus State. Do
> not click on links or open attachments unless you recognize the sender and
> are expecting the message.
> We use Palo Alto firewalls here and the Globalprotect client as the method
> for our users to VPN into campus. We are trying to get Globalprotect to use
> SAML. The first hurdle we are running into is uploading the Shibboleth
> self-signed certificate into the Palo Alto certificate profile. The error
> we get is:
> Import failed. Only self signed CA certificates can have identical subject
> and issuer fields.
> I have seen others posting about using Globalprotect and shibboleth on
> here. My question is, are you using the shibboleth self-signed certificate
> and were you able to import that into the Palo Alto? Or are you using a
> different certificate?  I have a ticket open with Palo but they have not
> been responsive.
> Thanks
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list