Ex: RE: Globalprotect and Shibboleth

db@alaska.edu dabantz at alaska.edu
Thu Jun 9 19:19:38 UTC 2022 

We’re using GP with SAML/ Shibb in users’ default browser. Like Paul’s experience, there were some sighs and groans from network engineers configuring the PA side, but I provided our normal IdP metadata and importing that did not seem an issue. I did have to remove the encryption key from the GP metadata to stop assertion encryption because GP could not decrypt assertions encrypted with the key they provided. I’d like to fix that, but it was deemed acceptable.

David.Bantz at Alaska.edu


> On Jun 9, 2022, at 10:53, Steve Herrera via users <users at shibboleth.net> wrote:
> 
> 
> Yes please. It looks as though others have run into the same issue I have and found alternative methods to get around it. If your network guy could let the rest of use know how he imported it, I think it would help a lot of people.
> 
> 
> 
>> On Thu, Jun 9, 2022 at 1:49 PM Paul B. Henson <henson at cpp.edu> wrote:
>> > From: Steven Teixeira
>> > Sent: Thursday, June 9, 2022 9:05 AM
>> > 
>> > So first off, get ready for some pain and suffering when it comes to PAN.
>> 
>> Ah, the joy of PAN; not VPN related, but I always love it when it misclassifies something as a "threat" and things mysteriously stop working because some of their packets get quietly dropped on the floor and not delivered <sigh>.
>> 
>> > You’re getting that error because PAN requires that the “Subject Type=CA”
>> > basic restraint be included in the self-signed certificate.  Shibboleth doesn’t
>> > generate a self-signed certificate at install time with this constraint.
>> 
>> We are using SAML auth for our PAN VPN, and I don't recall having to do that. It was an annoying process going back and forth with the network guy setting it up, but in the end it accepted our usual metadata including the default self signed certificate the IDP generated once upon a time when I originally installed it.
>> 
>> It's been a while, but I remember vaguely they had to configure it differently than they initially tried. But we definitely did not have to do anything weird on the shibboleth side with the certificate. I wouldn't of done that, PAN would have had to fix their crap or we wouldn't have done SAML.
>> 
>> I could ask our network guy how he configured it if you want, but his recollection is probably going to be about as vague as mine 8--/. I'll poke him and see.
>> 
>> 
>> --
>> Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
>> Operating Systems and Network Analyst  |  henson at cpp.edu
>> California State Polytechnic University  |  Pomona CA 91768
>> 
>> 
>> -- 
>> For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> -- 
> For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220609/c9cd80bf/attachment.htm>

More information about the users mailing list