topic Re: Azure AD GlobalProtect Clientless Portal / SAML Domain issue in GlobalProtect Discussions

Azure AD GlobalProtect Clientless Portal / SAML Domain issue

Pasquale01 — Mon, 28 Jun 2021 18:33:09 GMT

Hi All, I am able to authenticate users against the portal with SAML and Azure AD all good. Since I can't pull groups from Azure I'm using LDAP for the portal and policies also working. The issue is that the user from Azure is coming down to the firewall as doman.local\user while on prem LDAP is just domain\user. Any way to drop the .local at the firewall or has it to be done in Azure? and if Azure how 🙂 Thanks

Re: Azure AD GlobalProtect Clientless Portal / SAML Domain issue

Remo — Mon, 28 Jun 2021 18:46:48 GMT

Hi @Pasquale01

This has to be done in azure.

I need to search the details on how to configure this ...

Re: Azure AD GlobalProtect Clientless Portal / SAML Domain issue

Remo — Mon, 28 Jun 2021 18:58:44 GMT

There it is 😉

In the azure SAML config for global protect you need to alter the claim for username to the following:

username = Join (user.netbiosname, "\", user.onpremisessamaccountname)

This can be done by editing the usename claim details and choosing this from the various options that are presented there.

Re: Azure AD GlobalProtect Clientless Portal / SAML Domain issue

Pasquale01 — Mon, 28 Jun 2021 19:16:16 GMT

That's great, can you point me to where that is documented?

Re: Azure AD GlobalProtect Clientless Portal / SAML Domain issue

Remo — Mon, 28 Jun 2021 19:21:26 GMT

I have no idea where this is documented right now. I was told this by TAC support. In my situation the user was showing up correctly in the logs and so the machting for security policy rules was working fine but in the global protect configuration when I tried to create userbased configs I had to add the users in domain.local\username format and so the AD groups were not working. Then in TAC proposed this solution (as they found out this in another case from another customer) and this did the trick for me - and almost certainly will also do for you.

Re: Azure AD GlobalProtect Clientless Portal / SAML Domain issue

Pasquale01 — Mon, 28 Jun 2021 19:23:46 GMT

Ah...I see thank you for the responce. I'll let you know if it worked.

Re: Azure AD GlobalProtect Clientless Portal / SAML Domain issue

emr_1 — Wed, 20 Oct 2021 09:50:02 GMT

@Remo
hi, I have same issue and want to control user sessions by user group.

I want to ask you is that you have on-premise AD on your site and sync with AAD?

https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0

According to the link above (section is for "onPremisesSamAccountName"), it sounds I need on-premise AD, but I don't have..

If we only have AAD, do you know any other solution? (Maybe I should try CIE, new from palo alto. though not sure it retrieves user group from AAD)