Palo Alto Networks (PAN) has discovered a security issue with their firewalls, as detailed here: CVE-2020-2021. While this is not a vulnerability on the Okta side, PAN now requires that certificates in the Secure Assertion Markup Language (SAML) assertion be validated by a Certificate Authority (CA). To meet this requirement, the self-signed IdP certificate in Okta's Palo Alto Networks applications (for example, GlobalProtect) must be replaced with a CA-signed certificate.
- Palo Alto Networks (PAN)
- Certificate Authority (CA)
- Secure Assertion Markup Language (SAML)
- Applications
- Okta Classic Engine
Please follow the steps detailed at the following Palo Alto link to create a CA-signed certificate: Steps to configure CA-issued certificate and enable Validate Identity Provider Certificate on PAN-OS.
NOTE: Okta has created a script that performs the steps outlined in the above link. The script can be found on this GitHub page. Please note that the CSR still needs to be signed by a certificate authority; the script cannot automate this operation.
