SAML Authentication Flow Reference

saml authentication azure paloalto


Overview

SAML (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP).


The Step-by-Step Authentication Flow

Here is how the certificate is used during the GlobalProtect login process:

  1. User Connects: A user initiates a GlobalProtect connection. The firewall (acting as the Service Provider, or SP) redirects the user to Azure AD (the Identity Provider, or IdP) for authentication.

  2. User Authenticates: The user signs in with their credentials on the Microsoft login page.

  3. Azure AD Creates a Response: Azure generates a SAML “assertion,” which is an XML message containing information like the user’s identity.

  4. Azure AD Signs the Response: Azure uses its private key to digitally sign this SAML assertion. This is like putting a tamper-proof seal on an envelope.

  5. Firewall Receives the Response: The user’s browser sends the signed SAML assertion back to the Palo Alto Networks firewall.

  6. Firewall Verifies the Signature: The firewall now looks at the certificate you selected in the Identity Provider Certificate field. It uses this public certificate to check the signature on the assertion.

    • If the signature is valid, the firewall trusts the assertion, completes the login, and builds the VPN tunnel.
    • If the signature is invalid, the firewall rejects the login attempt, protecting you from a potential man-in-the-middle attack or a forged response.

Key Components

ComponentDescription
Service Provider (SP)The application/service the user wants to access (e.g., Palo Alto firewall)
Identity Provider (IdP)The system that authenticates users (e.g., Azure AD, Okta)
SAML AssertionXML document containing user identity and attributes
MetadataXML describing SP/IdP configuration (endpoints, certificates)

Azure AD Configuration

Azure Side (IdP)

  1. Enterprise Applications → New Application → Create your own
  2. Set up Single Sign-On → SAML
  3. Configure:
    • Identifier (Entity ID): Unique identifier for the SP
    • Reply URL (ACS URL): Where Azure sends the SAML response
    • Sign on URL: Where users go to initiate login
  4. Download Federation Metadata XML or Certificate (Base64)

Palo Alto Side (SP)

  1. Device → Server Profiles → SAML Identity Provider
  2. Import IdP metadata or manually configure:
    • IdP Entity ID: From Azure
    • IdP Certificate: Download from Azure (for signature verification)
    • IdP SSO URL: Azure login endpoint
  3. Authentication → Authentication Profile → Use SAML IdP profile
  4. GlobalProtect → Portal/Gateway → Use authentication profile

Troubleshooting

Common Issues

IssuePossible CauseSolution
Signature validation failedWrong certificateRe-download IdP certificate from Azure
User not authorizedMissing Azure assignmentAdd user/group to Enterprise App
Assertion expiredTime sync issueCheck NTP on firewall
Invalid audienceEntity ID mismatchVerify Entity ID matches on both sides
Reply URL mismatchACS URL misconfiguredCheck Reply URL in Azure matches firewall

Diagnostic Commands (PAN-OS)

# Check SAML authentication status
show authentication auth-type saml

# View SAML server profile
show authentication saml-idp-server-profile

# Debug authentication
debug authentication on debug

# Check authentication logs
show log system subtype eq auth

Azure AD Logs

  1. Azure Portal → Enterprise Applications → [App] → Sign-in logs
  2. Look for:
    • Error codes and messages
    • Correlation ID for support tickets
    • User details and timestamp

Testing SAML Flow

  1. Use browser developer tools (Network tab)
  2. Look for SAML Response in POST to ACS URL
  3. Decode Base64 to view assertion XML
  4. Tools: SAML-tracer (Firefox), SAML DevTools (Chrome)

Certificate Renewal

Azure AD signing certificates expire. Plan for renewal:

Check Expiration

Azure Portal → Enterprise Applications → [App] → SAML Signing Certificate

Renewal Process

  1. Generate new certificate in Azure (don’t activate yet)
  2. Download new certificate
  3. Add new certificate to Palo Alto IdP profile
  4. Test with a pilot group
  5. Activate new certificate in Azure
  6. Remove old certificate after verification

SAML vs OAuth/OIDC

AspectSAMLOAuth 2.0 / OIDC
FormatXMLJSON (JWT)
Best forEnterprise SSOAPIs, mobile apps
Token typeSAML AssertionAccess Token / ID Token
ComplexityHigherLower
Browser supportGoodGood

SAML is typically used for browser-based enterprise SSO (like GlobalProtect), while OAuth/OIDC is preferred for API authorization and modern applications.