<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7Ui5SAFOkta Classic EngineOkta Integration NetworkAnswered2024-08-11T09:04:05.000Z2017-06-12T19:12:19.000Z2019-12-19T06:15:55.000Z

j5v7c (j5v7c) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
SAML and Palo Alto Networks Admin UI?

I've been attempting to configure SAML authentication via Okta to my Palo Alto Networks firewall AdminUI.  After authentication, the PA provides me with:

 

SSO Response Status

Status: N/A

Message: Empty SSO relaystate

 

I've tried configuring the relay state in Okta based upon information from several forum posts, online documentation about the relaystate parameter, and a "relaystate" generator.  I've used everything from a single letter, to the PA URL, to a URL encoded version of the PA dashboard.  Thoughts?

  • 7 answers
  • 4.92K views

  • j5v7c (j5v7c)

    Further research has provided the knowledge that Palo Alto does not support IdP initiated sign on.
    Selected as Best

  • j5v7c (j5v7c)

    Further testing has shown that SP initiated login works flawlessly.

  • j5v7c (j5v7c)

    Further research has provided the knowledge that Palo Alto does not support IdP initiated sign on.
    Selected as Best

  • kbazp (kbazp)

    I have the same issue with Palo Alto Panorama Server. The error message is the same as mine and points to the relay state on SP side (PaloAlto). Palo Alto has to reachout to their development team to provide the value for "Default Relay State". My case number with Palo Alto support is 00933067. The version on Panorama is 8.1.2 which the latest as of 7/20/2018. I will update this post as soon as I hear anything from Palo Alto Support.
    Expand Post

  • kbazp (kbazp)

    It seems Palo Alto's implementation of SSO is geared towards user identification to iDP, hence the lack of iDP initiated authentication flows for admin access to the devices.

    The explanation from Palo Alto as follows:

    "IdP initiated flows are not supported. Our implementation of SAML auth relies on Relay State which is a token generated by the SP (PA) at run-time and sent to the IdP (Okta) which is echoed back by the IdP in its response message.

    If you try to initiate the auth request from IdP this relay state identifier would be missing and the authentication would fail."

    Currently there is an FR ID: 7413 filed with PaloAlto to support iDP initiated authentication flows.

    You can up vote on this feature request with Oliver Stockhammer from Palo Alto ostockhamm@paloaltonetworks.com 

    Expand Post

  • jpuan (jpuan)

    Thanks for the explanation, Aleskey. I ran into this same issue today. I don't mind the lack of support because my administrators should know where panorama is and therefore only begin SAML SSO requests from panorama and not initiate them from the IdP (okta dashboard) side.

  • kbazp (kbazp)

    @Michael Melone I was hoping for more seamless SSO experience for Palo Alto admins.

    I was recently checking with Palo Alto on FR ID: 7413 status and they have not out it on the roadmap yet. It seems they would rather rely on legacy authentication protocol like Radius for admins authentication.

  • RonO.17601 (Customer)

    Hi,

    I have a question please,

    Maybe its a stupid question but i try to understand...

    User must be created in okta and also in palo-alto panorama?

    What i did ,

    I Did saml auth between okta and palo-alto panorama and it works only if i created a user in panorama also.

    I`m trying to login to panorama based on role.

    That feature is supported?

    Or user must be created in palo-alto panorama also?

    Thanks,

    Ron.

    Expand Post
This question is closed.
Loading
SAML and Palo Alto Networks Admin UI?