Ex: RE: Globalprotect and Shibboleth

[Paul B. Henson]

> From: Steven Teixeira
> Sent: Thursday, June 9, 2022 9:05 AM
> 
> So first off, get ready for some pain and suffering when it comes to PAN.

Ah, the joy of PAN; not VPN related, but I always love it when it misclassifies something as a "threat" and things mysteriously stop working because some of their packets get quietly dropped on the floor and not delivered <sigh>.

> You’re getting that error because PAN requires that the “Subject Type=CA”
> basic restraint be included in the self-signed certificate.  Shibboleth doesn’t
> generate a self-signed certificate at install time with this constraint.

We are using SAML auth for our PAN VPN, and I don't recall having to do that. It was an annoying process going back and forth with the network guy setting it up, but in the end it accepted our usual metadata including the default self signed certificate the IDP generated once upon a time when I originally installed it.

It's been a while, but I remember vaguely they had to configure it differently than they initially tried. But we definitely did not have to do anything weird on the shibboleth side with the certificate. I wouldn't of done that, PAN would have had to fix their crap or we wouldn't have done SAML.

I could ask our network guy how he configured it if you want, but his recollection is probably going to be about as vague as mine 8--/. I'll poke him and see.


--
Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
Operating Systems and Network Analyst  |  henson at cpp.edu
California State Polytechnic University  |  Pomona CA 91768