topic CIE Azure AD/Entra AD guest upn match Global Protect login user in Cloud Identity Engine Discussions https://live.paloaltonetworks.com/t5/cloud-identity-engine/cie-azure-ad-entra-ad-guest-upn-match-global-protect-login-user/m-p/589737#M66 <P>I am trying to see how I can get the Cloud Identity Engine to match Global Protect SSO (Also from Azure AD/Entra) upn for the user.&nbsp; I have a sister company that I have invite certain users in as external guests and added them to aad groups, which is assigned to allow them to connect to AAD enterprise app for Saml SSO.&nbsp; But CIE will return different upn than what the sso returns back to the palo alto.&nbsp; I honestly do not care which one of these formats it uses, as long as they consistent matches. The main issue is the CIE and the global protect logins don't match for the same user, so its not possible to tie the user to the AAD groups CIE populates.</P> <P>&nbsp;</P> <P>Global protect will identify the user like <A href="mailto:jwoodman@example.com" target="_blank">jwoodman@example.com</A> and CIE will be jwoodman_example_com#ext#@example2.onmicrosoft.com</P> <P>&nbsp;</P> <P>While if the user have mail setup, you could go off that.&nbsp; But this being a sister company, we have some of these users already setup as contacts, and it will not allow those users to save there email address. It says there is already a proxy addresses. Instead it places there email address in the other mail property.&nbsp; I'm assuming I need to go the route of setting up Azure AD/Entra SAML transformations for the nameidentifier, as I don't see a way of changing the Cloud Identity Engine behavior. Curious if anyone has done this before.&nbsp;</P> <P>&nbsp;</P> <P>Thanks.</P> <P>&nbsp;</P> Tue, 18 Jun 2024 00:16:48 GMT JustinWoodman 2024-06-18T00:16:48Z CIE Azure AD/Entra AD guest upn match Global Protect login user https://live.paloaltonetworks.com/t5/cloud-identity-engine/cie-azure-ad-entra-ad-guest-upn-match-global-protect-login-user/m-p/589737#M66 <P>I am trying to see how I can get the Cloud Identity Engine to match Global Protect SSO (Also from Azure AD/Entra) upn for the user.&nbsp; I have a sister company that I have invite certain users in as external guests and added them to aad groups, which is assigned to allow them to connect to AAD enterprise app for Saml SSO.&nbsp; But CIE will return different upn than what the sso returns back to the palo alto.&nbsp; I honestly do not care which one of these formats it uses, as long as they consistent matches. The main issue is the CIE and the global protect logins don't match for the same user, so its not possible to tie the user to the AAD groups CIE populates.</P> <P>&nbsp;</P> <P>Global protect will identify the user like <A href="mailto:jwoodman@example.com" target="_blank">jwoodman@example.com</A> and CIE will be jwoodman_example_com#ext#@example2.onmicrosoft.com</P> <P>&nbsp;</P> <P>While if the user have mail setup, you could go off that.&nbsp; But this being a sister company, we have some of these users already setup as contacts, and it will not allow those users to save there email address. It says there is already a proxy addresses. Instead it places there email address in the other mail property.&nbsp; I'm assuming I need to go the route of setting up Azure AD/Entra SAML transformations for the nameidentifier, as I don't see a way of changing the Cloud Identity Engine behavior. Curious if anyone has done this before.&nbsp;</P> <P>&nbsp;</P> <P>Thanks.</P> <P>&nbsp;</P> Tue, 18 Jun 2024 00:16:48 GMT https://live.paloaltonetworks.com/t5/cloud-identity-engine/cie-azure-ad-entra-ad-guest-upn-match-global-protect-login-user/m-p/589737#M66 JustinWoodman 2024-06-18T00:16:48Z