Hi everyone,
We need help setting up Keycloak as an Identity Provider for Palo Alto GlobalProtect using SAML. Our team was able to complete the authentication flow successfully, but when Keycloak redirects back to Palo Alto, we get a “Temporarily Unavailable” error
Can anyone from the community please assist us or point us in the right direction?
Thanks in advance!
Hi @lauraq32,
I suggest that you have a look at the GlobalProtect logs in the first place. My guess is that the “Temporarily Unavailable” is a generic message hiding the actual error, which could be SAML ACS misconfiguration in Keycloak, SAML assertion not being “understood” by GlobalProtect, certificate misconfiguration etc.
Do you have any working SAML integration for GlobalProtect? You could capture the traffic and compare the SAML flow + assertion format to those for Keycloak. That might give you some hints.
Hello,
Do you get this error during signing on via global protect only or through web-portal as well? Can you share your Keycloak client’s settings? Maybe some URLs are wrong.
I’m also trying to configure SSO via Keycloak currently, faced many issues, so far I’ve settled on this one 
and the saddest thing is that there is no information anywhere on how to set this up. maybe the integration with Keycloak doesn’t work at all? 
Authentication Failed
Please contact the administrator for further assistance
Server info: 10.0.0.213
Error code: -1
Hello ,
We’re also facing the same issue. If anyone has successfully integrated it, please let us know. When we try to connect to GlobalProtect, it redirects to the Keycloak login page as expected. However, after authentication, we encounter a “temporary error” message stating that the redirect URL is not reachable.
As Dmitry pointed out, when you’re in the middle of a SAML federation, you can view the SAML Request and Response in the browser’s Network console or by using a SAML extension. There, you’ll find a lot of useful information.
On the other hand, in the SAML world, there are tons of different configurations, signed or unsigned SAML requests/responses, encrypted or unencrypted assertions, various NameID formats, required attributes in the SAML Response, and so on. Therefore, you should double-check the integration configuration to ensure it’s properly set up.
If the process breaks after authentication (which means Keycloak sent the SAML response to the app), then you should check the application logs to gather more information about the error.