Free Palo Alto Networks SSE-Engineer Actual Exam Questions - Question 7 Discussion
using SAML authentication through the Cloud Identity Engine. Users report that after entering their
credentials on the Identity Provider (IdP) login page, they are redirected to the Prisma Access portal
without successful authentication, and they receive this error message:
Error: Prisma Access Portal Authentication Failed using CIE-SAML with message “400 Bad Request”
Which action will identify the root cause of this error?
Maybe D makes sense since checking the authentication logs might show specific SAML errors causing the 400 Bad Request, helping pinpoint if it’s a config or communication problem.
It’s A because the error likely comes from mismatched endpoint URLs or certs between Strata Cloud Manager and the IdP, not just the Cloud Identity Engine. Checking both sides there makes more sense.
Seems like the issue is with how SAML metadata is set up between Cloud Identity Engine and the IdP since the error hints at a bad request during redirection, so I’m going with C.
D, logs usually show detailed SAML errors causing the 400 Bad Request.
Actually, I think D makes the most sense here. A “400 Bad Request” usually means something’s off at the protocol or message level, and the authentication logs in Strata Cloud Manager should show detailed SAML error messages that explain why the authentication failed. Just checking metadata (A or C) might miss specific SAML errors or misconfigurations that only show up in logs. Plus, logs can confirm if the request is even reaching the system properly, so starting there seems like the fastest way to pinpoint the root cause.
D, logs usually give the precise SAML error behind a 400 Bad Request.
A imo. Since the error shows "400 Bad Request," it points to something wrong with how SAML requests or responses are formed or accepted. Checking metadata on both sides—including endpoint URLs and certs—in Strata Cloud Manager and the IdP portal seems like the first move. Option C is tempting but mentions Cloud Identity Engine instead of Strata Cloud Manager; they might be different components, so that detail matters. Logs (D) could help but might not show the exact misconfiguration causing the bad request, so verifying metadata is more direct for this type of error.
This feels like a config mismatch, so checking the metadata on both sides is key. Since the error says “400 Bad Request,” it suggests something off with how SAML data is handled, so C looks right because it includes Cloud Identity Engine, which is part of the SAML flow here, not just Strata Cloud Manager. The error probably comes from invalid endpoints or cert issues in that integration. D could help later, but first you need to confirm the SAML setup is aligned on both ends, so C makes more sense as the starting point here.
Not B, since if traffic was blocked, users wouldn’t even reach the portal. Checking logs in D seems best to spot exact SAML errors causing the 400 Bad Request.
Is the error happening for all users or just specific groups/devices?