Ex: RE: Globalprotect and Shibboleth

[Max Spicer]

We also use GlobalProtect and also did not need to do anything unusual with
our IdP metadata. Our certificate is self-signed and does not contain
Subject Type = CA.

The metadata that we have imported for GlobalProtect does not contain any
certificates so we cannot encrypt assertions with this relying party. We
have confirmed that GP does verify the signature on our SAML responses.

The integration was not straightforward to work out, but in the end did not
require any particularly unusual configurations. I found that the docs at
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/configure-saml-authentication
provided a better explanation of some of GlobalProtect's constraints and
settings. These docs are not for GlobalProtect, but cover very similar
configuration steps and document some settings that are undocumented in the
equivalent GP guide.

A few excerpts from the above:

"Palo Alto Networks requires HTTPS to ensure the confidentiality of all
SAML transactions instead of alternative approaches such as encrypted SAML
assertions. To ensure the integrity of all messages processed in a SAML
transaction, Palo Alto Networks requires digital certificates to
cryptographically sign all messages."

It also clarifies: Validate Identity Provider Certificate as meaning "to
validate the chain of trust and optionally the revocation status of the IdP
certificate.
To enable this option, a Certificate Authority (CA) must issue your IdP’s
signing certificate. You must create a Certificate Profile that has the CA
that issued the IdP’s signing certificate. In the Authentication Profile,
select the SAML Server profile and Certificate Profile to validate the IdP
certificate.
If your IdP signing certificate is a self-signed certificate, there is no
chain of trust; as a result, you cannot enable this option. The firewall
always validates the signature of the SAML Responses or Assertions against
the Identity Provider certificate that you configure whether or not you
enable the Validate Identity Provider Certificate option."

Finally, it says "You can also use a certificate for the firewall to sign
SAML messages." and later on does not mark this as required.

I hope that helps,

Max Spicer


On Thu, 9 Jun 2022 at 20:58, Steve Herrera via users <users at shibboleth.net>
wrote:

> I just tried this and it worked. Instead of creating the different
> profiles and uploading the certificate manually, the import under SAML
> Identity providers automatically pulled it in and created the device
> certificate as well.
>
> Thank you.
>
>
> On Thu, Jun 9, 2022 at 2:19 PM db--- via users <users at shibboleth.net>
> wrote:
>
>> We’re using GP with SAML/ Shibb in users’ default browser. Like Paul’s
>> experience, there were some sighs and groans from network engineers
>> configuring the PA side, but I provided our normal IdP metadata and
>> importing that did not seem an issue. I did have to remove the encryption
>> key from the GP metadata to stop assertion encryption because GP could not
>> decrypt assertions encrypted with the key they provided. I’d like to fix
>> that, but it was deemed acceptable.
>>
>> David.Bantz at Alaska.edu
>>
>>
>> On Jun 9, 2022, at 10:53, Steve Herrera via users <users at shibboleth.net>
>> wrote:
>>
>> 
>> Yes please. It looks as though others have run into the same issue I have
>> and found alternative methods to get around it. If your network guy could
>> let the rest of use know how he imported it, I think it would help a lot of
>> people.
>>
>>
>>
>> On Thu, Jun 9, 2022 at 1:49 PM Paul B. Henson <henson at cpp.edu> wrote:
>>
>>> > From: Steven Teixeira
>>> > Sent: Thursday, June 9, 2022 9:05 AM
>>> >
>>> > So first off, get ready for some pain and suffering when it comes to
>>> PAN.
>>>
>>> Ah, the joy of PAN; not VPN related, but I always love it when it
>>> misclassifies something as a "threat" and things mysteriously stop working
>>> because some of their packets get quietly dropped on the floor and not
>>> delivered <sigh>.
>>>
>>> > You’re getting that error because PAN requires that the “Subject
>>> Type=CA”
>>> > basic restraint be included in the self-signed certificate.
>>> Shibboleth doesn’t
>>> > generate a self-signed certificate at install time with this
>>> constraint.
>>>
>>> We are using SAML auth for our PAN VPN, and I don't recall having to do
>>> that. It was an annoying process going back and forth with the network guy
>>> setting it up, but in the end it accepted our usual metadata including the
>>> default self signed certificate the IDP generated once upon a time when I
>>> originally installed it.
>>>
>>> It's been a while, but I remember vaguely they had to configure it
>>> differently than they initially tried. But we definitely did not have to do
>>> anything weird on the shibboleth side with the certificate. I wouldn't of
>>> done that, PAN would have had to fix their crap or we wouldn't have done
>>> SAML.
>>>
>>> I could ask our network guy how he configured it if you want, but his
>>> recollection is probably going to be about as vague as mine 8--/. I'll poke
>>> him and see.
>>>
>>>
>>> --
>>> Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
>>> Operating Systems and Network Analyst  |  henson at cpp.edu
>>> California State Polytechnic University  |  Pomona CA 91768
>>>
>>>
>>> --
>>> For Consortium Member technical support, see
>>> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
>>> To unsubscribe from this list send an email to
>>> users-unsubscribe at shibboleth.net
>>>
>> --
>> For Consortium Member technical support, see
>> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
>> --
>> For Consortium Member technical support, see
>> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220610/edd5ef63/attachment.htm>