https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-group-mapping-for-azure-saml/m-p/996231#M6189 <P>Hi,</P> <P>&nbsp;</P> <P>GP Authentication with Azure SAML is fine,&nbsp; but for authorization i want to extract the groupname asserted by Azure SAML in palo alto so that these groupnames can be utilized in GP gateway configuration to assign unique vpn pool and to configure security rule to control the resource access.</P> <P>&nbsp;</P> <P>we dont have the feasibility to use Cloud Identity Engine (CIE) for this task.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 03 Dec 2024 13:52:15 GMT l2-security 2024-12-03T13:52:15Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-group-mapping-for-azure-saml/m-p/996113#M6187 <P>Hi All,</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>I have configured Azure with Global protect enterprise application for SAML and configured the Group claim attribute as "group -&gt; user.group" which as 3 usergroups Sales, IT , and Developers.</P> <P>&nbsp;</P> <P>And in the Palo alto firewall (10.2.8), SAML and Authentication profile is configured.</P> <P>&nbsp;</P> <P>Can any one brief me how to configure the Group mapping setting for this SAML profile under User Identification, since the group mapping server profile as only option to configure LDAP , Screenshot attached.<BR /><BR /></P> Tue, 03 Dec 2024 07:34:23 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-group-mapping-for-azure-saml/m-p/996113#M6187 l2-security 2024-12-03T07:34:23Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-group-mapping-for-azure-saml/m-p/996206#M6188 <P>you do not need group claims in the globalprotect enterprise application. To restrict which users can authenticate, you would add that group to the 'Users and Groups' instead</P> <P>&nbsp;</P> <P>To configure group mapping (assuming you are cloud-only) you would need to set up the Cloud Identity Engine (CIE) via apps.paloaltonetworks.com and connect that to your EntraID/azure</P> <P>&nbsp;</P> <P>once the CIE is configured and connected to your EntraID, and your firewall has been set up with the device certificate, it will automatically become available when configuring CIE</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="reaper_0-1733229086004.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/64446i9346F7DE7050E9AE/image-size/large?v=v2&amp;px=999" role="button" title="reaper_0-1733229086004.png" alt="reaper_0-1733229086004.png" /></span></P> <P>&nbsp;</P> <P>once the CIE is connected to your firewall, you can start using AD groups in your security rules</P> Tue, 03 Dec 2024 12:32:44 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-group-mapping-for-azure-saml/m-p/996206#M6188 reaper 2024-12-03T12:32:44Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-group-mapping-for-azure-saml/m-p/996231#M6189 <P>Hi,</P> <P>&nbsp;</P> <P>GP Authentication with Azure SAML is fine,&nbsp; but for authorization i want to extract the groupname asserted by Azure SAML in palo alto so that these groupnames can be utilized in GP gateway configuration to assign unique vpn pool and to configure security rule to control the resource access.</P> <P>&nbsp;</P> <P>we dont have the feasibility to use Cloud Identity Engine (CIE) for this task.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 03 Dec 2024 13:52:15 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-group-mapping-for-azure-saml/m-p/996231#M6189 l2-security 2024-12-03T13:52:15Z