Ex: RE: Globalprotect and Shibboleth

Steve Herrera sherrera at fsmail.bradley.edu
Thu Jun 9 19:57:51 UTC 2022 

I just tried this and it worked. Instead of creating the different profiles
and uploading the certificate manually, the import under SAML Identity
providers automatically pulled it in and created the device certificate as
well.

Thank you.


On Thu, Jun 9, 2022 at 2:19 PM db--- via users <users at shibboleth.net> wrote:

> We’re using GP with SAML/ Shibb in users’ default browser. Like Paul’s
> experience, there were some sighs and groans from network engineers
> configuring the PA side, but I provided our normal IdP metadata and
> importing that did not seem an issue. I did have to remove the encryption
> key from the GP metadata to stop assertion encryption because GP could not
> decrypt assertions encrypted with the key they provided. I’d like to fix
> that, but it was deemed acceptable.
>
> David.Bantz at Alaska.edu
>
>
> On Jun 9, 2022, at 10:53, Steve Herrera via users <users at shibboleth.net>
> wrote:
>
> 
> Yes please. It looks as though others have run into the same issue I have
> and found alternative methods to get around it. If your network guy could
> let the rest of use know how he imported it, I think it would help a lot of
> people.
>
>
>
> On Thu, Jun 9, 2022 at 1:49 PM Paul B. Henson <henson at cpp.edu> wrote:
>
>> > From: Steven Teixeira
>> > Sent: Thursday, June 9, 2022 9:05 AM
>> >
>> > So first off, get ready for some pain and suffering when it comes to
>> PAN.
>>
>> Ah, the joy of PAN; not VPN related, but I always love it when it
>> misclassifies something as a "threat" and things mysteriously stop working
>> because some of their packets get quietly dropped on the floor and not
>> delivered <sigh>.
>>
>> > You’re getting that error because PAN requires that the “Subject
>> Type=CA”
>> > basic restraint be included in the self-signed certificate.  Shibboleth
>> doesn’t
>> > generate a self-signed certificate at install time with this constraint.
>>
>> We are using SAML auth for our PAN VPN, and I don't recall having to do
>> that. It was an annoying process going back and forth with the network guy
>> setting it up, but in the end it accepted our usual metadata including the
>> default self signed certificate the IDP generated once upon a time when I
>> originally installed it.
>>
>> It's been a while, but I remember vaguely they had to configure it
>> differently than they initially tried. But we definitely did not have to do
>> anything weird on the shibboleth side with the certificate. I wouldn't of
>> done that, PAN would have had to fix their crap or we wouldn't have done
>> SAML.
>>
>> I could ask our network guy how he configured it if you want, but his
>> recollection is probably going to be about as vague as mine 8--/. I'll poke
>> him and see.
>>
>>
>> --
>> Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
>> Operating Systems and Network Analyst  |  henson at cpp.edu
>> California State Polytechnic University  |  Pomona CA 91768
>>
>>
>> --
>> For Consortium Member technical support, see
>> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220609/e15f9c0b/attachment.htm>

More information about the users mailing list