topic AzureAD Group Mapping for GP in GlobalProtect Discussions

AzureAD Group Mapping for GP

SBI_INFRASTRUCTURE — Wed, 24 Jun 2020 03:43:00 GMT

Hello,

We're currently implementing GlobalProtect with SAML Authentification to AzureAD only (no hybrid) based on groups for easier management.

Example :

Groupe1 is given an IP_Pool1 IP with access to subnet1

Groupe2 is given an IP_Pool2 IP with access to subnet 1 and 2

As of today, we didn't find any way to do it properly and from what we've seen online it may not be supported at all without any third party or on-prem AD.

Did any of you ran into that issue before and did you find the solution?

Thanks.

Re: AzureAD Group Mapping for GP

domari — Thu, 25 Jun 2020 15:59:00 GMT

Hello,

From my understanding, you would like to configure AzureAD group-mappings on the firewall as in you would like for the firewall to pull user groups from AzureAD?

If that's the case, please bare in mind that the firewall supports LDAP profiles only with group mapping configuration.

Reference:

https://docs.paloaltonetworks.com/globalprotect/9-0/globalprotect-admin/authentication/enable-group-mapping

If I misunderstood the question, please feel free to clarify.

Re: AzureAD Group Mapping for GP

OwenFuller — Thu, 25 Jun 2020 18:01:18 GMT

This should be possible.

First, enable group mapping using the documentation @domari mentioned. Make sure you add the included groups to the group mapping profile in distinguished name format (e.g. cn=groupe1,ou=myou,o=mydomain,o=local) in lower case. I have seen them fail time and time again if you use uppercase letters, or enter them in mydomain\somename format. Verify that your firewall is seeing the groups, and members using the steps here: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVcCAK

In you have a client IP pool listed under your-GP-gateway > Agent > Client IP pool, then these IPs will apply to all gateway users. You will need to delete this in order to enable separate pools for different groups.

Under your-GP-gateway > Client Settings, create a config for Groupe1. Under Source User, add Groupe1 once again using the distinguished name in lowercase (e.g. cn=groupe1,ou=myou,o=mydomain,o=local). Go to the IP Pools tab, and add your pool for Groupe1 users. Under Split Tunnel, add the included subnets you want to allow to be accessed over the VPN. Configure any other settings in the client config you need. Repeat the process for Groupe2 users.

You will also need Security Policies which will allow access. You can use the same groups for source users in those policies as well.

Re: AzureAD Group Mapping for GP

SBI_INFRASTRUCTURE — Fri, 26 Jun 2020 03:18:34 GMT

@domari Hello,

Yes you understood correctly.

The thing is to be able to use LDAP or LDAP-S to connect to AzureAD you will need to use an intermediate called Azure AD Domain Services which requires a pay-to-use subscription. We want to reduce our cloud ans SaaS subscriptions footprint to a minimum and it would make us go the wrong way tho.

It seems like, as of today, being able to pull out groups mapping directly from AzureAD is not possible.

Re: AzureAD Group Mapping for GP

domari — Fri, 26 Jun 2020 03:55:03 GMT

Please feel free to reach out to your SE for a feature request. Maybe in the future desgin this could be possible.

Re: AzureAD Group Mapping for GP

SBI_INFRASTRUCTURE — Fri, 26 Jun 2020 04:41:59 GMT

Will do - thanks for you input.

Re: AzureAD Group Mapping for GP

Tony_Ellis — Wed, 17 Feb 2021 18:45:07 GMT

Yeah that is what i found as well. What i ended up doing, on an ASA, is authenticating my users to Azure, but then using secondary authorization to the internal AD user to map the users to specific groups.

Re: AzureAD Group Mapping for GP

Housing1 — Thu, 23 Sep 2021 18:23:45 GMT

How?

Re: AzureAD Group Mapping for GP

Tony_Ellis — Thu, 23 Sep 2021 18:40:27 GMT

Here you go:

tunnel-group NA_Azure_SAML type remote-access
tunnel-group NA_Azure_SAML general-attributes
address-pool VPN_Pool_1
authorization-server-group AAA-VPN-Users
default-group-policy NoAccess
tunnel-group NA_Azure_SAML webvpn-attributes
authentication saml
group-alias VPN-Secured enable
without-csd
saml identity-provider https://sts.windows.net/numbers......./

So the process is it authenticates to Azure SAML, but authorization is AAA-VPN-Users (which is AD). it looks for a security group tied to the end user and then maps that security group to a policy group on the ASA. This took awhile for me to figure out and get working. But saved me a lot of work in the long run because we have so many policy group mappings to security groups.

Re: AzureAD Group Mapping for GP

TomYoung — Thu, 23 Sep 2021 20:47:15 GMT

Hi @SBI_INFRASTRUCTURE ,

I believe the Cloud Identity Engine can now get groups from AzureAD.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/identity-features/cloud-identity-engine.html

Thanks,

Tom

Re: AzureAD Group Mapping for GP

SBI_INFRASTRUCTURE — Fri, 24 Sep 2021 01:48:22 GMT

Hello @TomYoung,

We're not yet using PANOS 10.X but we will take a look - thanks.

We ended doing what @Tony_Ellis mentioned - AzureAD/SAML for Authentification & MFA and AD on-premise for groups mapping. AzureAD information been sync from our AD on-premise to ease the user onboarding process.

Best,