https://live.paloaltonetworks.com/t5/prisma-access-discussions/prisma-access-portal-config-azure-saml-test-config/m-p/483569#M341 <P>How will it be known if the user is in the group before the SAML authentication?</P><P>&nbsp;</P><P>The only way I see is after the users have logged into their Globalprotect agents is to have another authentication based on auth policy <A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/authentication-policy" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/authentication-policy</A> but really I think you need to better understand what is needed.</P><P>&nbsp;</P><P>&nbsp;</P><P>You may check for extra info how to sync user groups from the Azure AD if you don't want to sync from on-prem device or for the Cloud identity engine to connect to a on-prem AD server:</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access" target="_blank">https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access</A></P><P>&nbsp;</P><P>&nbsp;</P><P>How to use Ldap with Azure Ad:</P><P><A href="https://live.paloaltonetworks.com/t5/globalprotect-discussions/azuread-group-mapping-for-gp/td-p/334921" target="_blank">https://live.paloaltonetworks.com/t5/globalprotect-discussions/azuread-group-mapping-for-gp/td-p/334921</A></P><P>&nbsp;</P><P>A new feature that you can use is SCIM and the cloud identity engine without the need for service connection to the on-prem AD or to sync from on-prem firewall/agent or to pay for the Microsoft Azure Ldap feature:</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/manage-the-cloud-identity-engine/cloud-identity-engine-attributes" target="_blank">https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/manage-the-cloud-identity-engine/cloud-identity-engine-attributes</A></P><P>&nbsp;</P><P><A href="https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/sync-scim" target="_blank">https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/sync-scim</A></P><P>&nbsp;</P> Thu, 28 Apr 2022 16:21:21 GMT nikoolayy1 2022-04-28T16:21:21Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/prisma-access-portal-config-azure-saml-test-config/m-p/483479#M340 <P>Hi,</P><P>&nbsp;</P><P>I have the following question about Prisma Access Portal authentication,&nbsp; I would like to gradually move my users to use SAML authentication instead of the currently configured profile.</P><P>Can I accomplish this by using a group in the Allow List of the authentication profile.&nbsp; So only when you are in the group peform SAML.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 28 Apr 2022 09:42:17 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/prisma-access-portal-config-azure-saml-test-config/m-p/483479#M340 zGomez 2022-04-28T09:42:17Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/prisma-access-portal-config-azure-saml-test-config/m-p/483569#M341 <P>How will it be known if the user is in the group before the SAML authentication?</P><P>&nbsp;</P><P>The only way I see is after the users have logged into their Globalprotect agents is to have another authentication based on auth policy <A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/authentication-policy" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/authentication-policy</A> but really I think you need to better understand what is needed.</P><P>&nbsp;</P><P>&nbsp;</P><P>You may check for extra info how to sync user groups from the Azure AD if you don't want to sync from on-prem device or for the Cloud identity engine to connect to a on-prem AD server:</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access" target="_blank">https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access</A></P><P>&nbsp;</P><P>&nbsp;</P><P>How to use Ldap with Azure Ad:</P><P><A href="https://live.paloaltonetworks.com/t5/globalprotect-discussions/azuread-group-mapping-for-gp/td-p/334921" target="_blank">https://live.paloaltonetworks.com/t5/globalprotect-discussions/azuread-group-mapping-for-gp/td-p/334921</A></P><P>&nbsp;</P><P>A new feature that you can use is SCIM and the cloud identity engine without the need for service connection to the on-prem AD or to sync from on-prem firewall/agent or to pay for the Microsoft Azure Ldap feature:</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/manage-the-cloud-identity-engine/cloud-identity-engine-attributes" target="_blank">https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/manage-the-cloud-identity-engine/cloud-identity-engine-attributes</A></P><P>&nbsp;</P><P><A href="https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/sync-scim" target="_blank">https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/sync-scim</A></P><P>&nbsp;</P> Thu, 28 Apr 2022 16:21:21 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/prisma-access-portal-config-azure-saml-test-config/m-p/483569#M341 nikoolayy1 2022-04-28T16:21:21Z