The user information linked in the CIE does not match the match criteria in the GP's application settings.

AikawaHinata — Wed, 30 Jul 2025 01:36:51 GMT

We would like to know the user information that corresponds to the GP sign-in account and tunnel settings and other matching conditions.

We are currently verifying SAML login and SSO in our verification environment.
In the GP application and tunnel settings, we have specified the user information obtained from the Entra ID as the matching condition, but we have not found the desired setting, and we are applying the application and tunnel settings that have “any” set as the matching condition in the subordinate settings.

SAML authentication using the CIE authentication profile has succeeded without any problems, and authentication using the SAML authentication profile has also succeeded without any problems.

In addition, we are currently specifying a user who is displayed in the “username@domain” format as a match condition (we are aware that this format is displayed by setting the primary user name to UPN on the SCM).
On the other hand, when the actual GP connection is made, the intended application settings and tunnel settings are not used, and other settings with any match condition are applied.

◆Reference documents for initial environment construction
・SCIM linking of CIE and Entra ID
Configuration of SCIM connector for Cloud Identity Engine
・SAML authentication using CIE
https://docs.paloaltonetworks.com/prisma-access/integration/microsoft-integrations-with-prisma-access/azure-ad-saml-authentication-for-mobile-user-deployments/configure-mobile-users-using-cloud-identity-engine

Prisma Access configuration
・Both Group Mapping and SAML authentication are configured via Cloud Identity Engine (CIE) with SCIM connector.
The matching condition for tunnel and application settings is the user obtained from Entra ID, and the relevant settings have been moved to the top of the list.
There is no problem with the GP connection.
For NGFW and Prisma Access>ID Service>CIE>User Attributes, the user principal name (UPN) is selected as the primary name. Alternative user names and mail fields are set to None.
In the CIE, the linked users are visible, and the Sync Status is Success.

We have configured the system based on the document, but because the assumed GP application settings and tunnel settings are not being used, we have changed the Entra ID settings as follows.
Entra ID settings
The following settings have been changed to UPN in the Palo Alto Networks SCIM Connector and Palo Alto Networks Cloud Identity Engine of the enterprise application.
Home>Default Directory>Enterprise Applications>Palo Alto Networks SCIM Connector>Provisioning>Mapping>Provision Microsoft Entra ID Users
-> PaloAltoNetworks attribute Microsoft Entra ID attributes corresponding to userName and displayName are both changed to UPN.
Home>Default Directory>Enterprise Applications>Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service>Single Sign-On>Attributes and Claims>Change
unique username value to UPN.

◆Questions:
We believe that there is no applicable section in the SCM configuration except NGFW and Prisma Access>ID Service>CIE>User Attributes, and we assume that the Entra ID side may be returning user information other than UPNs.
Therefore, we would like to know two points.

Question 1: Are there any settings required by Entra ID for SCIM linkage other than the settings listed in the
configuration details?
Question 2) We do not think there are any settings other than NGFW and Prisma Access>ID Service>CIE>User Attributes in
SCM, is this correct?

topic The user information linked in the CIE does not match the match criteria in the GP's application settings. in Prisma Access Discussions

The user information linked in the CIE does not match the match criteria in the GP's application settings.