topic Re: Global Protect Connectivity Issue in GlobalProtect Discussions

Global Protect Connectivity Issue

H.Thiam — Thu, 15 Jan 2026 21:34:19 GMT

I am deploying GlobalProtect and have configured the Gateway Agent Client Settings with the following Source User in the Config Selection Criteria: connect\vpnusers

I am a member of this group. The group is retrieved from our internal LDAP server via User Identification → Group Mapping, with the following attributes configured:

Primary Username: sAMAccountName
Email: mail

Users authenticate to the GlobalProtect portal and gateway using SAML (Duo). The Authentication Profile that references the SAML server profile is configured with the following Username Attribute:

The issue I am encountering is that whenever I attempt to connect, GlobalProtect fails with the error: Matching Client Config not found

However, when I change the Source User in the Config Selection Criteria to any, the connection succeeds. This indicates that the issue is specifically related to the user group–based matching.

I strongly suspect there is a username format mismatch between SAML and LDAP. I have tried multiple variations of the username format, but none have resolved the issue.

According to the GlobalProtect logs, the firewall is identifying me as:

Can anyone please advise on how to correctly align the SAML and LDAP username formats so that the user is properly matched to the LDAP group and the correct client configuration is applied?

Re: Global Protect Connectivity Issue

BPry — Thu, 15 Jan 2026 21:45:16 GMT

@H.Thiam,

Someone with Duo can probably provide you more information, but it looks like the attribute that Duo wants to utilize would be User.Username for your authentication profile according to their docs

Re: Global Protect Connectivity Issue

H.Thiam — Thu, 15 Jan 2026 22:18:01 GMT

Thanks for the feedback . I have tried the User.Username attribute but same outcome . I have also come across a recommendation to update the User Domain and User Modifier fields within the SAML authentication profile so it forces the firewall to match the SAML format to the LDAP group Mapping . However those fields are only applicable to the TACACS type .

Re: Global Protect Connectivity Issue

TomYoung — Fri, 16 Jan 2026 00:48:51 GMT

Hi @H.Thiam ,

I had a similar problem with my GP SAML username format user@domain.com and my LDAP group mapping domain\user. The users were not matching the groups. Changing the User Domain under Device > User Identification > Group Mapping Settings > [edit group mapping] > Server Profile > Domain Setting caused the GP SAML usernames to change from user@domain.com to domain\user so that the LDAP groups would work. All other fields remained the default (except the Update Interval).

Thanks,

Tom

Re: Global Protect Connectivity Issue

H.Thiam — Mon, 19 Jan 2026 23:08:24 GMT

@TomYoung . Thank you for the response . I have replaced the User Domain value as suggested . domain\user but getting the below error . Any ideas why ?

Previously the value was only the domain without \user .

Thanks

Re: Global Protect Connectivity Issue

TomYoung — Tue, 20 Jan 2026 01:57:29 GMT

Hi @H.Thiam ,

You only put your domain name in the box. Please take out the \user.

Thanks,

Tom

Re: Global Protect Connectivity Issue

H.Thiam — Tue, 20 Jan 2026 14:59:12 GMT

@TomYoung

That is how it was configured before , just the domain ( connect.org) . I get a prompt form the Duo SAML authentication and can confirm I belong to the LDAP group ( connect\vpnusers ) configured as source user in agent Config Selection Criteria , I am still getting the same error for some reason . Somehow the username attribute sent by Duo still do not seem to reconcile with the LDAP attribute .

This is how I configured the Group Mapping User and Group Attributes

Thanks

Re: Global Protect Connectivity Issue

TomYoung — Tue, 20 Jan 2026 16:58:36 GMT

Hi @H.Thiam ,

The Domain field is the NetBIOS domain. So, normally you would only put "connect" in the field. Try it without the .org. Your User and Group Attributes are correct. So, you "can confirm I belong to the LDAP group ( connect\vpnusers ) configured as source user in agent Config Selection Criteria"? The error you are getting says that the username does NOT match the configured user or group. https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000PLc9

The username to check will be under Monitor > Logs > User-ID. The User column should read connect\user while the User Provided by Source column should read user@connect.org.

Thanks,

Tom

Re: Global Protect Connectivity Issue

H.Thiam — Wed, 21 Jan 2026 14:28:14 GMT

@TomYoung

We only added the NetBios name and still failed however we got it working leaving the field blank . It looks like it is behaving differently with version 11.1 . But as you suggested the domain requirement is still valid for version 10 I believe . Thanks a lot for all your feedback .