https://live.paloaltonetworks.com/t5/globalprotect-discussions/agent-client-settings-user-name-match-when-saml/m-p/517572#M3248 <P data-unlink="true">Usernames are "<A href="mailto:user@domain.com&quot;" target="_blank">user@domain.com"</A>&nbsp;on both logs and configuration.</P> Wed, 12 Oct 2022 07:33:17 GMT Anbjorn 2022-10-12T07:33:17Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/agent-client-settings-user-name-match-when-saml/m-p/515803#M3191 <P>I have a SAML setup where I want to match a specific user name to an agent config in the gateway:</P> <P>Gateway -&gt; Agent -&gt; Client settings -&gt;</P> <P>Source User : &lt;username&gt;</P> <P>OS: Any</P> <P>Region/IP address: empty</P> <P>&nbsp;</P> <P>In the SAML authentication profile the username is listed in the Allow List and is authenticated correctly. However, the client errors with "Client config not found". If I set Source User in Agent Client settings to Any, it works and user name show up in both traffic and GP logs.</P> <P>&nbsp;</P> <P>Documentation says "You must configure group mapping (<SPAN class="uicontrol">Device</SPAN> &gt; <SPAN class="uicontrol">User Identification</SPAN> &gt; <SPAN class="uicontrol">Group Mapping Settings</SPAN>) before you can select users and groups.", but this is only for AD group mapping. How can I match the username in the SAML login in the Agent client setting?</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 23 Sep 2022 12:14:21 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/agent-client-settings-user-name-match-when-saml/m-p/515803#M3191 Anbjorn 2022-09-23T12:14:21Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/agent-client-settings-user-name-match-when-saml/m-p/517312#M3239 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/118374">@Anbjorn</a> ,</P> <P>How do you configure the username for the client settings? Are you using "user@domain.com" or "domain\user" format?</P> <P>If you set source username as any and clients connect and get settings successfully, what format you see for the username in the GlobalProtect logs?</P> Mon, 10 Oct 2022 14:24:23 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/agent-client-settings-user-name-match-when-saml/m-p/517312#M3239 aleksandar.astardzhiev 2022-10-10T14:24:23Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/agent-client-settings-user-name-match-when-saml/m-p/517572#M3248 <P data-unlink="true">Usernames are "<A href="mailto:user@domain.com&quot;" target="_blank">user@domain.com"</A>&nbsp;on both logs and configuration.</P> Wed, 12 Oct 2022 07:33:17 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/agent-client-settings-user-name-match-when-saml/m-p/517572#M3248 Anbjorn 2022-10-12T07:33:17Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/agent-client-settings-user-name-match-when-saml/m-p/532491#M3732 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/118374">@Anbjorn</a> - did you ever figure this out?&nbsp; I am having a similar issue.&nbsp; I am using SAML and I have an "any" user config which works fine.&nbsp; But I am trying to add a more restrictive config above that one, which contains specific users or groups, and cannot get it to work. All users keep matching the "any" rule.</P> Tue, 28 Feb 2023 17:09:39 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/agent-client-settings-user-name-match-when-saml/m-p/532491#M3732 tamerfahmy 2023-02-28T17:09:39Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/agent-client-settings-user-name-match-when-saml/m-p/573085#M4831 <P>Same here</P> <P>We are able to supply configuration to SAML groups using cloud identity engine to pull user to group membership.</P> <P>But we can not supply configuration directly to saml users</P> <P>Did anyone figure this out ?&nbsp;</P> <P>We do not have any AD or LDAP for user group matching&nbsp;</P> Mon, 15 Jan 2024 16:04:56 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/agent-client-settings-user-name-match-when-saml/m-p/573085#M4831 gudmundur 2024-01-15T16:04:56Z