In some environments the SAML access to PAM stops working because the certificate information has changed on the IdP side and it has not been refreshed in CA PAM in the SAML configuration, even though hourly or daily refresh is configured on the Configuration > Security > SAML > SP Configuration page.

The problem can be resolved by manually downloading the federation metadata and uploading it to CA PAM. However this is a procedure which is not acceptable, as it is not possible to know when the IdP will change its certificate. This is a typical situation with, for instance, Azure.

One of the reasons for this problem is that the to the IdP Metadata download URL is closed, for instance because of firewall restrictions.

In the case of Azure, the URL is something similar to the following:

https://login.microsoftonline.com/d246ytxd-cc00-4ed2-bc4e-f8a46cbc590d/federationmetadata/2007-06/federationmetadata.xml

Engage firewall and networking teams to ensure that PAM is able to access the IdP metadata. The metadata refresh source URL is found in the IdP metadata that you uploaded to PAM using the Configuration > Security > SAML > SP Configuration > Configured Remote SAML IdP page.

If needed, engage PAM Support, who can access your PAM Server using SSH remote debugging services and check access to the IdP metadata that way.