I'm working with an enterprise app called Palo Alto, and I've run into a bit of a snag. I tried to provide our networking team with a federated XML file from the certificate, but they're asking for the Azure root certificate instead. I've done some research and found out that you can use a CA within Azure, but we don't have that set up yet. Should I create a new certificate using Azure App Service Certificates and apply or import it to the Enterprise App? I'm a bit confused since for other applications using SAML, self-signed certificates have worked just fine, but this one seems to need the CA root certificate to function.
3 Answers
Here’s a pro tip from my recent experience: it’s often better to create your own self-signed certificate on the Palo and then import that into Azure. Why? Because Palo Alto only allows one certificate per issuer/common name, and Azure’s SAML certs all share the same name. If you try to add another without deleting the old one, it’ll fail. You might end up needing to either unlink or completely rebuild the SAML profile, which could result in downtime. So, it’s better to generate a new cert on Palo first, import it into Azure, and link the profiles correctly to minimize downtime during the transition.
Actually, you might not need a separate root certificate for Azure. The default SAML signing certificate is self-signed, which effectively acts as the root certificate. I’ve dealt with issues regarding Palo Alto before, and one big thing is that Palo Alto doesn’t accept self-signed certificates directly from the Certificate Management menu. So, your network team might have to export the public certificate from Palo Alto and import that into Azure AD as the SAML signing certificate. Also, importing the federation metadata XML is an acceptable approach for self-signed certificates.
If you’re looking for the SAML certificates, in the Enterprise App section where you see the XML, there’s actually a ‘Download Cert’ button right above it. That should provide everything you need. I haven't personally worked with Palo Alto, but this option has worked seamlessly for other SAML applications I’ve handled.
I totally get it. I've set up many enterprise apps and used the self-generated certificate approach without any problems. I'm leaning towards this being a config issue on the Palo Alto side more than an Azure cert problem.
This is super helpful! I’ll definitely have a chat with the networking team about generating the cert from the PAN.