SAML Authentication Flow Reference
saml authentication azure paloalto
Overview
SAML (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP).
The Step-by-Step Authentication Flow
Here is how the certificate is used during the GlobalProtect login process:
-
User Connects: A user initiates a GlobalProtect connection. The firewall (acting as the Service Provider, or SP) redirects the user to Azure AD (the Identity Provider, or IdP) for authentication.
-
User Authenticates: The user signs in with their credentials on the Microsoft login page.
-
Azure AD Creates a Response: Azure generates a SAML “assertion,” which is an XML message containing information like the user’s identity.
-
Azure AD Signs the Response: Azure uses its private key to digitally sign this SAML assertion. This is like putting a tamper-proof seal on an envelope.
-
Firewall Receives the Response: The user’s browser sends the signed SAML assertion back to the Palo Alto Networks firewall.
-
Firewall Verifies the Signature: The firewall now looks at the certificate you selected in the Identity Provider Certificate field. It uses this public certificate to check the signature on the assertion.
- If the signature is valid, the firewall trusts the assertion, completes the login, and builds the VPN tunnel.
- If the signature is invalid, the firewall rejects the login attempt, protecting you from a potential man-in-the-middle attack or a forged response.
Key Components
| Component | Description |
|---|---|
| Service Provider (SP) | The application/service the user wants to access (e.g., Palo Alto firewall) |
| Identity Provider (IdP) | The system that authenticates users (e.g., Azure AD, Okta) |
| SAML Assertion | XML document containing user identity and attributes |
| Metadata | XML describing SP/IdP configuration (endpoints, certificates) |
Azure AD Configuration
Azure Side (IdP)
- Enterprise Applications → New Application → Create your own
- Set up Single Sign-On → SAML
- Configure:
- Identifier (Entity ID): Unique identifier for the SP
- Reply URL (ACS URL): Where Azure sends the SAML response
- Sign on URL: Where users go to initiate login
- Download Federation Metadata XML or Certificate (Base64)
Palo Alto Side (SP)
- Device → Server Profiles → SAML Identity Provider
- Import IdP metadata or manually configure:
- IdP Entity ID: From Azure
- IdP Certificate: Download from Azure (for signature verification)
- IdP SSO URL: Azure login endpoint
- Authentication → Authentication Profile → Use SAML IdP profile
- GlobalProtect → Portal/Gateway → Use authentication profile
Troubleshooting
Common Issues
| Issue | Possible Cause | Solution |
|---|---|---|
| Signature validation failed | Wrong certificate | Re-download IdP certificate from Azure |
| User not authorized | Missing Azure assignment | Add user/group to Enterprise App |
| Assertion expired | Time sync issue | Check NTP on firewall |
| Invalid audience | Entity ID mismatch | Verify Entity ID matches on both sides |
| Reply URL mismatch | ACS URL misconfigured | Check Reply URL in Azure matches firewall |
Diagnostic Commands (PAN-OS)
# Check SAML authentication status
show authentication auth-type saml
# View SAML server profile
show authentication saml-idp-server-profile
# Debug authentication
debug authentication on debug
# Check authentication logs
show log system subtype eq auth
Azure AD Logs
- Azure Portal → Enterprise Applications → [App] → Sign-in logs
- Look for:
- Error codes and messages
- Correlation ID for support tickets
- User details and timestamp
Testing SAML Flow
- Use browser developer tools (Network tab)
- Look for SAML Response in POST to ACS URL
- Decode Base64 to view assertion XML
- Tools: SAML-tracer (Firefox), SAML DevTools (Chrome)
Certificate Renewal
Azure AD signing certificates expire. Plan for renewal:
Check Expiration
Azure Portal → Enterprise Applications → [App] → SAML Signing Certificate
Renewal Process
- Generate new certificate in Azure (don’t activate yet)
- Download new certificate
- Add new certificate to Palo Alto IdP profile
- Test with a pilot group
- Activate new certificate in Azure
- Remove old certificate after verification
SAML vs OAuth/OIDC
| Aspect | SAML | OAuth 2.0 / OIDC |
|---|---|---|
| Format | XML | JSON (JWT) |
| Best for | Enterprise SSO | APIs, mobile apps |
| Token type | SAML Assertion | Access Token / ID Token |
| Complexity | Higher | Lower |
| Browser support | Good | Good |
SAML is typically used for browser-based enterprise SSO (like GlobalProtect), while OAuth/OIDC is preferred for API authorization and modern applications.