https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-saml-authentication-works-fails-on-matching/m-p/558136#M4384 <P>I ended up contacting Palo support and I for ones got a good engineer on the line.&nbsp;&nbsp;</P> <P>We figured out the issue was with the certificate profile, without client certificate it worked.&nbsp; Normally the domain is taken from the Certificate.&nbsp; For the group mapping you have to specify the NEBTIOS domain name.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="zGomez_1-1694786828801.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53760iDC3E399328FB3FE2/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="zGomez_1-1694786828801.png" alt="zGomez_1-1694786828801.png" /></span></P> <P>&nbsp;</P> <P>This solved the group mapping issue.</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 15 Sep 2023 14:07:52 GMT zGomez 2023-09-15T14:07:52Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-saml-authentication-works-fails-on-matching/m-p/556778#M4365 <P>Hi,</P> <P>I am trying to configure globalprotect to use SAML authentication for the portal and gateway.&nbsp; The authentication seems to work but when, but i am not getting a valid client config when i use groups in allow list.&nbsp;</P> <P>I am sure it is related to group mapping and user id but don't know where exactly it is going wrong.</P> <P>&nbsp;</P> <P>I have the following configuration on Azure:&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="zGomez_0-1694012059685.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53468i1EA65785F34ACB0E/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="zGomez_0-1694012059685.png" alt="zGomez_0-1694012059685.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="zGomez_1-1694012177202.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53469i189EB89C8F542853/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="zGomez_1-1694012177202.png" alt="zGomez_1-1694012177202.png" /></span></P> <P>When authenticating i am seeing the following in the logs on the gateway.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="zGomez_2-1694012661065.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53470iA0539894CBD015E1/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="zGomez_2-1694012661065.png" alt="zGomez_2-1694012661065.png" /></span></P> <P>&nbsp;</P> <P>First it tries with username.firstname this fails then it tries with the formated version and the authentication works.</P> <P>My authentication profile is configured as follows, it also has an allow list that is allowing only certain group.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="zGomez_3-1694012917716.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53471i81CB54EF72C009B6/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="zGomez_3-1694012917716.png" alt="zGomez_3-1694012917716.png" /></span></P> <P>This seems to be working besides the fact that it tries with 2 different formats.&nbsp; Then the user tries to fetch the config with the same group limitation as the authentication profile this seems to fail.&nbsp; When i remove the group it works and the client can get it's config.</P> <P>I have double checked the format off the groupname and both are the same.</P> <P>My groupmapping is configured as follows.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="zGomez_5-1694013360208.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53473i1A4EF51913172563/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="zGomez_5-1694013360208.png" alt="zGomez_5-1694013360208.png" /></span></P> <P>Do i need to add alternate username 1:&nbsp; userpincipalname?</P> <P>The problem is located somewhere over here.&nbsp; I just don't understand why i works for the authentication and not for the getclient config.</P> <P>Any help on this would be appreciated or some clarification on the claims vs auth/group mapping.<BR /><BR /></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 06 Sep 2023 15:23:28 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-saml-authentication-works-fails-on-matching/m-p/556778#M4365 zGomez 2023-09-06T15:23:28Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-saml-authentication-works-fails-on-matching/m-p/558136#M4384 <P>I ended up contacting Palo support and I for ones got a good engineer on the line.&nbsp;&nbsp;</P> <P>We figured out the issue was with the certificate profile, without client certificate it worked.&nbsp; Normally the domain is taken from the Certificate.&nbsp; For the group mapping you have to specify the NEBTIOS domain name.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="zGomez_1-1694786828801.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53760iDC3E399328FB3FE2/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="zGomez_1-1694786828801.png" alt="zGomez_1-1694786828801.png" /></span></P> <P>&nbsp;</P> <P>This solved the group mapping issue.</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 15 Sep 2023 14:07:52 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-saml-authentication-works-fails-on-matching/m-p/558136#M4384 zGomez 2023-09-15T14:07:52Z