https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-azure-saml-user-group-attribute-mapping/m-p/749062#M6167 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a> ,</P> <P>Thanks for the reply , It is still unclear how the GP will distinguish which usergroup gets which VPN pool range with a single authentication profile that includes the usergroups (derived from Azure saml) in the allow list..<BR />My aim is to make sure each usergroup fetched from Azure SAML is assigned with a specific set of vpn pool range , and with that a security rule can be configured to allow specific destination access based on the vpn pool ranges.</P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 27 Nov 2024 09:39:48 GMT l2-security 2024-11-27T09:39:48Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-azure-saml-user-group-attribute-mapping/m-p/703886#M6161 <P>Hi Support,</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>I am trying to configure Globalprotect with Azure Saml integration.</P> <P>The authentication part is configured following the link (&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE</A>).</P> <P>&nbsp;</P> <P>Additionally usergroup in Azure are configured with the attribute "group"&nbsp; and is mapped to each usergroup name.</P> <P>&nbsp;</P> <P>Saml authentication profile in PA firewall contains the user group attribute name as "group" (matching the usergroup attribute from Azure).</P> <P>&nbsp;</P> <P>Now the question here is , do i need to create multiple Saml authentication profiles like one for the GP Portal authentication which contains the Allow list as "all",</P> <P>&nbsp;</P> <P>And one each for every user group with their respective&nbsp;<SPAN>Asserted</SPAN> Azure user group name&nbsp;in Allow list. which can be called in GP Gateway authentication configuration to map the usergroup with their vpn pool and other settings.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp;</P> Tue, 26 Nov 2024 13:11:44 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-azure-saml-user-group-attribute-mapping/m-p/703886#M6161 l2-security 2024-11-26T13:11:44Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-azure-saml-user-group-attribute-mapping/m-p/704805#M6164 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/275614">@l2-security</a>,</P> <P>If I understand the question properly, you should be able to just have a single profile. You can utilize the user group on the portal and the gateway to control the configuration that each group receives or whether they're able to utilize that portal/gateway. So the authentication will use the single authentication profile while the actual portal agent configuration can be driven by the group alongside the gateways client settings.</P> Wed, 27 Nov 2024 01:49:01 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-azure-saml-user-group-attribute-mapping/m-p/704805#M6164 BPry 2024-11-27T01:49:01Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-azure-saml-user-group-attribute-mapping/m-p/749062#M6167 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a> ,</P> <P>Thanks for the reply , It is still unclear how the GP will distinguish which usergroup gets which VPN pool range with a single authentication profile that includes the usergroups (derived from Azure saml) in the allow list..<BR />My aim is to make sure each usergroup fetched from Azure SAML is assigned with a specific set of vpn pool range , and with that a security rule can be configured to allow specific destination access based on the vpn pool ranges.</P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 27 Nov 2024 09:39:48 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-azure-saml-user-group-attribute-mapping/m-p/749062#M6167 l2-security 2024-11-27T09:39:48Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-azure-saml-user-group-attribute-mapping/m-p/1238298#M7034 <P>Did you manage to fix it? I am also trying to figure out how the Palo Identifies which On Premise AD group (azure synced) the user belongs to so it can match a config criteria selection and receive different VPN IP pools and also a different connect method.</P> Thu, 18 Sep 2025 09:10:53 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-azure-saml-user-group-attribute-mapping/m-p/1238298#M7034 nicoleannep 2025-09-18T09:10:53Z