Updating the SSO Certificate from Azure for a Global Protect VPN Portal
Every Three years the SSO Cert will expire for a Global Protect portal.
In this example, we will be using the .129 VPN portal.
- Create new certificate in the enterprise app for the VPN portal you are updating.
- After generating the new certificate, click the 3 dots and set it active.
- You will have to delete the old certificate before you can download the new one and upload it into the Palo-Alto. Otherwise, it will only read the old certificate. You should download the old certificate in case you need to revert back to the old certificate.
- Once you only have the new certificate, you can download the XML file
- Log into the Palo-Alto and go to, Device > Server Profile > SAML Identity Provider: Once you are there, click import and name the new SAML IDP. Browse to your downloaded XML file
- Once installed, your new cert will show up in the certificates section.
- You can now click into the SAML IDP that you are updating and click the dropdown for the Identity Provider Certificate. Select your new Cert.
- After that is all complete, Commit the changes to the Palo.