topic Group Login condition Azure Groups in GlobalProtect Discussions https://live.paloaltonetworks.com/t5/globalprotect-discussions/group-login-condition-azure-groups/m-p/558274#M4388 <P>Hi,</P> <P>We are using our on prem LDAP to fetch groups on the Palo. For GP authentication as well, we are using group in</P> <P>1) GP Portal &gt; Agent &gt; Config Selection Criteria &gt; User/User Group</P> <P>2) GP Gateway &gt; Agent &gt; Client Settings &gt;&nbsp;Config Selection Criteria&nbsp;</P> <P>&nbsp;</P> <P>This works well with on prem LDAP. Now we are trialling out SAML with Azure. The Authentication on the SAML succeeds but GP fails to connect because the firewall cannot find the proper group for the user. After looking at logs, it looks like, when we use LDAP the user is identified as domain\username and firewall can lookup LDAP group. When using SAML authentication, the user is identified as <A href="mailto:firstname.lastname@companyname.com" target="_blank">firstname.lastname@companyname.com</A></P> <P>&nbsp;</P> <P>Any idea how to resolve this?</P> Mon, 18 Sep 2023 04:48:43 GMT rjdahav163 2023-09-18T04:48:43Z Group Login condition Azure Groups https://live.paloaltonetworks.com/t5/globalprotect-discussions/group-login-condition-azure-groups/m-p/558274#M4388 <P>Hi,</P> <P>We are using our on prem LDAP to fetch groups on the Palo. For GP authentication as well, we are using group in</P> <P>1) GP Portal &gt; Agent &gt; Config Selection Criteria &gt; User/User Group</P> <P>2) GP Gateway &gt; Agent &gt; Client Settings &gt;&nbsp;Config Selection Criteria&nbsp;</P> <P>&nbsp;</P> <P>This works well with on prem LDAP. Now we are trialling out SAML with Azure. The Authentication on the SAML succeeds but GP fails to connect because the firewall cannot find the proper group for the user. After looking at logs, it looks like, when we use LDAP the user is identified as domain\username and firewall can lookup LDAP group. When using SAML authentication, the user is identified as <A href="mailto:firstname.lastname@companyname.com" target="_blank">firstname.lastname@companyname.com</A></P> <P>&nbsp;</P> <P>Any idea how to resolve this?</P> Mon, 18 Sep 2023 04:48:43 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/group-login-condition-azure-groups/m-p/558274#M4388 rjdahav163 2023-09-18T04:48:43Z