https://live.paloaltonetworks.com/t5/globalprotect-discussions/saml-with-microsoft-adfs-and-group-mapping/m-p/499118#M2844 <P>Hi Community,</P><P>&nbsp;</P><P>we got an on prem domain and were using LDAP auth for GlobalProtect.</P><P>So everything configured, LDAP Profile, Auth Profile with userdomain and Group Mapping with userdomain.</P><P>In operation, a logged in user is recognized as netbios\samlaccountname - everything fine.</P><P>&nbsp;</P><P>Now we want to utilize our ADFS on-prem server.</P><P>We used this guide to configure it (its for Prisma, but the same approach):</P><P><A href="https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/enable-user-authentication-for-prisma-access/configure-saml-authentication-using-adfs-as-the-idp-for-mobile-users" target="_blank">https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/enable-user-authentication-for-prisma-access/configure-saml-authentication-using-adfs-as-the-idp-for-mobile-users</A></P><P>Even as we configured redirect on Palo side, the server retrieves Post request, so we changed that on ADFS side and now SAML SSO works - so good so far.</P><P>&nbsp;</P><P>The problem is:</P><P>There is no userdomain info, so our whole policyset is not matching, since the user is reported as "samaccountname" - we need "netbios\samaccountname" so that the configured LDAP group mapping is working.</P><P>&nbsp;</P><P>Does anyone has an idea how to do that with ADFS?</P><P>I haven't really found a good tutorial or documentation for it.</P><P>That relates to the settings shown in step 4 of the posting link.</P><P>&nbsp;</P><P>Looking really forward for any hints.</P><P>Windows Account Name as an outgoing claim looked good, but didn't work</P><P>&nbsp;</P><P>Best Regards</P><P>Johannes</P><P>&nbsp;</P> Fri, 03 Jun 2022 11:33:49 GMT joschoenEXTA 2022-06-03T11:33:49Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/saml-with-microsoft-adfs-and-group-mapping/m-p/499118#M2844 <P>Hi Community,</P><P>&nbsp;</P><P>we got an on prem domain and were using LDAP auth for GlobalProtect.</P><P>So everything configured, LDAP Profile, Auth Profile with userdomain and Group Mapping with userdomain.</P><P>In operation, a logged in user is recognized as netbios\samlaccountname - everything fine.</P><P>&nbsp;</P><P>Now we want to utilize our ADFS on-prem server.</P><P>We used this guide to configure it (its for Prisma, but the same approach):</P><P><A href="https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/enable-user-authentication-for-prisma-access/configure-saml-authentication-using-adfs-as-the-idp-for-mobile-users" target="_blank">https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/secure-mobile-users-with-prisma-access/enable-user-authentication-for-prisma-access/configure-saml-authentication-using-adfs-as-the-idp-for-mobile-users</A></P><P>Even as we configured redirect on Palo side, the server retrieves Post request, so we changed that on ADFS side and now SAML SSO works - so good so far.</P><P>&nbsp;</P><P>The problem is:</P><P>There is no userdomain info, so our whole policyset is not matching, since the user is reported as "samaccountname" - we need "netbios\samaccountname" so that the configured LDAP group mapping is working.</P><P>&nbsp;</P><P>Does anyone has an idea how to do that with ADFS?</P><P>I haven't really found a good tutorial or documentation for it.</P><P>That relates to the settings shown in step 4 of the posting link.</P><P>&nbsp;</P><P>Looking really forward for any hints.</P><P>Windows Account Name as an outgoing claim looked good, but didn't work</P><P>&nbsp;</P><P>Best Regards</P><P>Johannes</P><P>&nbsp;</P> Fri, 03 Jun 2022 11:33:49 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/saml-with-microsoft-adfs-and-group-mapping/m-p/499118#M2844 joschoenEXTA 2022-06-03T11:33:49Z