SAML and Palo Alto Networks Admin UI? Skip to main content
https://support.okta.com/help/answers?id=9062a000000xzr6qag&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
James BrischJames Brisch 

SAML and Palo Alto Networks Admin UI?

I've been attempting to configure SAML authentication via Okta to my Palo Alto Networks firewall AdminUI.  After authentication, the PA provides me with:

SSO Response Status
Status: N/A
Message: Empty SSO relaystate

I've tried configuring the relay state in Okta based upon information from several forum posts, online documentation about the relaystate parameter, and a "relaystate" generator.  I've used everything from a single letter, to the PA URL, to a URL encoded version of the PA dashboard.  Thoughts?

Best Answer chosen by James Brisch
James BrischJames Brisch
Further research has provided the knowledge that Palo Alto does not support IdP initiated sign on.

All Answers

James BrischJames Brisch
Further testing has shown that SP initiated login works flawlessly.
James BrischJames Brisch
Further research has provided the knowledge that Palo Alto does not support IdP initiated sign on.
This was selected as the best answer
Av ShchAv Shch
I have the same issue with Palo Alto Panorama Server. The error message is the same as mine and points to the relay state on SP side (PaloAlto). Palo Alto has to reachout to their development team to provide the value for "Default Relay State". My case number with Palo Alto support is 00933067. The version on Panorama is 8.1.2 which the latest as of 7/20/2018. I will update this post as soon as I hear anything from Palo Alto Support.