topic Re: Consuming user group in GlobalProtect SAML Authentication in GlobalProtect Discussions

Consuming user group in GlobalProtect SAML Authentication

mtsujihara — Fri, 16 Jun 2017 21:15:49 GMT

A bit of background: We are an all-Google G Suite company. We do not have internal LDAP servers. Everyone auths to Google. We are using PA 3060s as our firewalls and VPN systems.

We are getting ready to turn on SAML authentication for GlobalProtect. We are using Google as our IdP.

I've gotten it working, but I want to make policy decisions based on the user group that we are returning in the SAML assertion.

In Google, I have a user attribute with a "role" specified for each user, and then we are passing this back to the firewalls via a attribute mapping in our SAML App definition in Google.

Within the SAML authentication profile in the firewalls, I have set the User Group attribute to "role", and when I connect to the portal through Burp Suite, I see a SAML "role" attribute being returned from Google and asserted to the firewalls.

However, I have not found a way to use this "role" attribute in client IP pool assignments or in making policy decisions. I have tried making a local group that matches the "role" value, but that does not work.

Has anyone done this, or have any insight on this?

Regards,

Mark

Re: Consuming user group in GlobalProtect SAML Authentication

Remo — Fri, 16 Jun 2017 23:17:59 GMT

Hi @mtsujihara

I don't know it this user-group-mapping fof SAML users is possible. Probably not because the default group-mapping in the WebUI requires an LDAP profile.

But may be you should give this a try for the creation of groups and containing users: https://www.paloaltonetworks.com/documentation/80/pan-os/xml-api/pan-os-xml-api-request-types/apply-user-id-mapping-and-populate-dynamic-address-groups-api

Re: Consuming user group in GlobalProtect SAML Authentication

altplus — Mon, 08 Jan 2018 08:55:55 GMT

Hi @mtsujihara

Could you please show me how to configure PA using Google SAML as IdP?

Thank you in advance,

Regards,

Army

Re: Consuming user group in GlobalProtect SAML Authentication

MikeTewner — Tue, 17 Jul 2018 07:34:12 GMT

I've gotten GSuite SAML2.0 working and have GSuite configured to send the user's "Department" as the "group" attribute. In the PA, I have the "User Group Attribute" set the "group". As the OP says, I don't see that I can use the "group" value anywhere (policies, etc).

Has anyone gotten this to work?

Re: Consuming user group in GlobalProtect SAML Authentication

BPry — Tue, 17 Jul 2018 17:11:12 GMT

@MikeTewner,

The firewall won't let you use that attribute the same as you would with an LDAP group. The link that @Remo provided describes how you could probably script this to assign users to different groups using the xml-api and how you would format the input file that you would need to put together for this.

I would recommend reaching out to your SE and setting up a feature request.

Re: Consuming user group in GlobalProtect SAML Authentication

Remo — Tue, 17 Jul 2018 18:55:39 GMT

@MikeTewner

It depends on how much you really need this group mapping for SAML authenticated users ... it will be a bit of work

Set up a webserver
Create a log forwarding profile for system logs that applies for global protect login and logout logs and send these logs to your webserver
Create a web application on your webserver that processes these http request with the logs from your firewall
For every log that the webserver receives your web application needs to push that information to the firewall API to create dynamic User-IP-Group mappings and also delete them when a user logs out

4 "simple" steps and you have implemented what you need 😛

But I recommend the feature request anyway ...

Re: Consuming user group in GlobalProtect SAML Authentication

MikeTewner — Wed, 18 Jul 2018 06:55:43 GMT

Thank you @Remo and @BPry for the help! This is one of the last services still stuck on our ActiveDirectory - I'll put in the feature request and live with it for a bit longer.

Just an aside for anyone else with this issue - Perhaps JumpCloud can help in this case.

-Mike

Re: Consuming user group in GlobalProtect SAML Authentication

AJeffery — Tue, 05 May 2020 07:37:54 GMT

I dont know if this is still an issue for you, but i had a similar problem with Azure AD, so in the end created a secure LDAP connection to it and in the LDAP Group configuration changed the username to be email and that has worked both on Global Protect and Security rules.

Re: Consuming user group in GlobalProtect SAML Authentication

Ozamir — Wed, 03 Jun 2020 12:49:27 GMT

Have anyone successfully implemented Group-Mapping with G-Suite?

Re: Consuming user group in GlobalProtect SAML Authentication

JohnWade — Fri, 05 Jun 2020 20:39:56 GMT

Nope, still struggling with this same issues. SAML authentication works great, but group information sent int he SAML assertion is not accessible in policy rules. In my case, we have access to LDAP, but wanted to use SAML to be able to add Duo two factor authentication with a usable UI. Opened a case with support, maybe all of us are wrong.

Re: Consuming user group in GlobalProtect SAML Authentication

JohnWade — Sat, 06 Jun 2020 02:09:18 GMT

For what its worth, support confirmed that there is no group support with SAML authentication. They referenced a prisma document: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-integration/authenticate-mobile-users/saml-authentication-using-okta-as-idp-for-users which does state:

"You can’t use group information that’s retrieved from the SAML assertion in either security policies or the agent client configuration in the portal and gateways. If you have a requirement to configure user group-based policies and configuration selections, you must Enable Group Mapping and retrieve the user group information from the LDAP server using Group Mapping Settings."

However I did find an unsupported workaround at least in 8.1. If you can do LDAP group mapping but want to use SAML authentication (which is what we want to support multifactor), then if you send over the SAML username in the form <domain>\<username> , it will match up to the AD/LDAP user and use the group mappings from LDAP, this may be what Ozamir references above.

This is no help for people who want to use Google exclusively.

It is definitely an incomplete implementation since the SAML configuration supports both an "Access Domain Attribute" and a "User Group Attribute" but it does not use either one for global protect. (These are only used for Mgmt SAML authentication).

Hope this information helps someone else.

Re: Consuming user group in GlobalProtect SAML Authentication

SShnap — Tue, 16 Jun 2020 15:25:08 GMT

Hi There

I had the same issue with SAML and LDAP group memberships, I'm using DUO with global protect and my intend was to customize the application based on group memberships.

I used @JohnWade solution and under authentication profile I changed username attributes from user.username (as DUO instruction) to <domain>\<username> and it is working great.

thank you for the help.

Re: Consuming user group in GlobalProtect SAML Authentication

ddixit — Sun, 19 Jul 2020 19:50:00 GMT

All you need is the Metadata after configuring the app for your portal/gateway in the Google IDP. You need two different apps for Portal and gateway if the addresses are different, unlike in Okta google doesn't support multiple URLs in a single app.

goto SAML identity> create a server profile by importing the metadata.

create an Authentication profile and call the SAML server profile you created.

goto your portal and gateway > authentication> Set it to the authentication profile you created. Commit the changes.

Re: Consuming user group in GlobalProtect SAML Authentication

Victor1 — Wed, 16 Sep 2020 15:47:18 GMT

We did this with Azure AD as well.

Out basic setup is as follows:

Configure the LDAP Server profile for the on-premise AD infrastructure (Base DN is in the following format "DC=domain,DC=local" )
Configure SAML IdP to work with Azure AD
Configure Group-Mapping using the LDAP profile. On the "User and Group Attributes" tab, we swapped "Primary Username" to be "userPrincipleName" and "Alternate Username 1" to be "sAMAccountName"
This way the SAML username attribute matches the LDAP username attribute
On the GlobalProtect side, we specified the group in the configs in the following format: "CN=User Group Name,OU=org unit,DC=domain,DC=local"
When we tried it in the "domain\group name" format, we had no success, but we found a post on reddit that suggested trying either format to see what works in your environment. Apparently the format is dependent on how your AD infrastructure is setup.

Re: Consuming user group in GlobalProtect SAML Authentication

GREMAUDO — Fri, 06 Nov 2020 12:46:37 GMT

Hello,

This is indeed an excellent workaround, tested here also in 8.1. Thanks for this information, it's really useful.

Usually, we rely on our Active Directory, which is old enough to be primarily based on the SAM Account Name, which is what the NGFW is looking for by default, in the following format : Domain\SAMAccountName (ie. acme\doej)

We began using Okta to authenticate our GlobalProtect users for non-Windows or non-Domain devices, but it was impossible to use the "groups" attribute from the SAML assertion in the GlobalProtect configuration.

We opened a case with TAC, and the answer was the following : this attribute can only be used in the "Allow List" of the Authentication Profile, but nowhere else :

In order to make this work, the username sent by Okta in the assertion must be the same as the username that the NGFW understand by default, that is, the "Domain\SAMAccountName". This is not an easily available option in Okta.

In the GlobalProtect app in Okta :

Edit the "Sign On" settings
Find "Credentials Details" section
Select "Custom" in the "Application username format"
Fill the field with this syntax : "yourdomain\" + toLowerCase(active_directory_xxxx.samAccountName)
Please note that the "active_directory_xxxx" must match your directory ID, that you can find in the

This only works, however, if you have an LDAP server somewhere... With Okta, I know there is a way to use it as an LDAP server, which might do the trick, like described in this link : https://help.okta.com/en/prod/Content/Topics/Directory/LDAP-interface-main.htm

With all this combined with a bit of Group-Mapping, you could tinker this to work as expected ! 🙂

It's unfortunate that PAN does not seem to want to integrate a wider use of the group attribute of the SAML Assertion. It complexifies the use of SAML, with little to no documentation... 😞

Re: Consuming user group in GlobalProtect SAML Authentication

CCIE11129 — Fri, 27 Nov 2020 22:24:44 GMT

I have been attempting this with Azure SAML. Currently I don't see the group attribute being sent by Azure so I can't test what I was wanting to test.

I found a document that showed an example of Admin Role being used from SAML attribute where the role name matched a GlobalProtect admin role. I wondered if this same concept would work for an empty local user group on GlobalProtect. Even though I can't use the group attribute from SAML assertion, I can use an empty local user group and was hopeful that the group sent from SAML with the same name as a local user group would work the same way admin role assertion does.

Have you created an empty local group in GlobalProtect and put it in a VPN matching policy and see if the SAML group assertion with the same group name would trigger a policy match?

Re: Consuming user group in GlobalProtect SAML Authentication

28ACOK — Tue, 24 Aug 2021 20:34:57 GMT

Hello Vicotr,

How did you setup Globalprotect to use ldap for some users and saml authentication for the others based on user group?

In out case when we use saml and ldap authentication profile, it always authenticates against ldap and doesnt get to the saml profile at all.

Re: Consuming user group in GlobalProtect SAML Authentication

LAYER_8 — Wed, 25 Aug 2021 16:53:42 GMT

For what it's worth, Palo innovated a SAML 2.0 group mapping ingestion service in PAN-OS 10.1. See more on the cloud identity engine here.

Re: Consuming user group in GlobalProtect SAML Authentication

Leo_Huang — Fri, 22 Oct 2021 05:36:59 GMT

Hi GREMAUDO,

I am trying to implement Okta with Palo Alto as well. But I can't get it to work by following your instructions. Could you please provide more details on how you configure the Palo Alto side, like the Auth profile settings.

Thanks

Leo

Re: Consuming user group in GlobalProtect SAML Authentication

GREMAUDO — Tue, 02 Nov 2021 13:21:18 GMT

Hi,

Did you follow this document ? https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Palo-Alto-Networks-GlobalProtect.html

It's the one I used to properly setup Okta + PAN.

Cheers.