https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-group-mapping-with-gp-saml-user-id/m-p/1225084#M6612 <P>Hi,</P> <P>&nbsp;</P> <P>I've got GP configured with SAML authentication and it works great. However, I would need to get out User-ID or group so that I can use them in security policies to allow or deny specific rules and access to resources.</P> <P><BR />Is that possible and how?</P> <P>Thanks</P> Sat, 29 Mar 2025 16:59:01 GMT GregorJus 2025-03-29T16:59:01Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-group-mapping-with-gp-saml-user-id/m-p/1225084#M6612 <P>Hi,</P> <P>&nbsp;</P> <P>I've got GP configured with SAML authentication and it works great. However, I would need to get out User-ID or group so that I can use them in security policies to allow or deny specific rules and access to resources.</P> <P><BR />Is that possible and how?</P> <P>Thanks</P> Sat, 29 Mar 2025 16:59:01 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-group-mapping-with-gp-saml-user-id/m-p/1225084#M6612 GregorJus 2025-03-29T16:59:01Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-group-mapping-with-gp-saml-user-id/m-p/1225098#M6616 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/515434985">@GregorJus</a> ,</P> <P>&nbsp;</P> <P>Yes, it is possible.&nbsp; All you need to do is enable User-ID on the GP zone in order to turn it on.&nbsp; GP maps the username to IP address.</P> <P>&nbsp;</P> <P>You have to use LDAP or Cloud Identity Engine (CIE) to map users to groups.&nbsp; In order for group mapping to work, the username in the "show user ip-user-mapping all" command must match exactly with the username in the "show user group name "&lt;group_name_from_show_user_group_list&gt;" command.</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/user-id/map-users-to-groups" target="_blank">https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/user-id/map-users-to-groups</A></P> <P><A href="https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/authenticate-users-with-the-cloud-identity-engine/configure-the-cloud-identity-engine-as-a-mapping-source-on-the-firewall" target="_blank">https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/authenticate-users-with-the-cloud-identity-engine/configure-the-cloud-identity-engine-as-a-mapping-source-on-the-firewall</A></P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpCCAS" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpCCAS</A></P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVcCAK&amp;lang=en_US" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVcCAK&amp;lang=en_US</A></P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> <P><LI-WRAPPER></LI-WRAPPER></P> Mon, 31 Mar 2025 02:22:50 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-group-mapping-with-gp-saml-user-id/m-p/1225098#M6616 TomYoung 2025-03-31T02:22:50Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-group-mapping-with-gp-saml-user-id/m-p/1225181#M6617 <P>Hi, Tom,</P> <P>&nbsp;</P> <P>Thank you for your reply, however, it doesn't quite fulfil the requirements I have, just yet. User-ID is already enabled on the zone and I can see the user in the monitor logs. However, I still can't use those users (e.g. <A href="mailto:name.lastname@domain.com" target="_blank">name.lastname@domain.com</A>) in security policies, which is what I would need to do.</P> <P>&nbsp;</P> <P>LDAP is not an option here, sadly, because these are cloud only (Azure AD joined) machines only - there is no domain on-prem and no hybrid solution possible. I have already implemented CIE as well, however, the issue I am having with it is being unable to fully disable opening browser (even just one tab) with connection notification as users do not want that.</P> <P>&nbsp;</P> <P>Thanks,<BR />G</P> Mon, 31 Mar 2025 08:22:44 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-group-mapping-with-gp-saml-user-id/m-p/1225181#M6617 GregorJus 2025-03-31T08:22:44Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-group-mapping-with-gp-saml-user-id/m-p/1225195#M6618 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/515434985">@GregorJus</a> ,</P> <P>&nbsp;</P> <P>Does the command "show user ip-user-mapping all" show users?</P> <P>&nbsp;</P> <P>Does the command "show user group list" show groups?&nbsp; If so, pick a group and run the "show user group name "&lt;group_name&gt;" command.&nbsp; Do the usernames match the previous command exactly?</P> <P>&nbsp;</P> <P>The browser (step 9 in the CIE URL I provided) is not needed if you are using GP for user/IP mapping.</P> <P>&nbsp;</P> <P>Why can't you use the users in the security policy?&nbsp; They will not automatically show up in the drop down list.&nbsp; You have to start typing the name and they will show up.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Mon, 31 Mar 2025 10:03:18 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/user-group-mapping-with-gp-saml-user-id/m-p/1225195#M6618 TomYoung 2025-03-31T10:03:18Z