https://live.paloaltonetworks.com/t5/general-topics/user-id-rules/m-p/542451#M111111 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/249853">@Sanjay_Ramaiah</a> ,</P> <P>&nbsp;</P> <P>If you change the Primary Username to <SPAN><SPAN class="richTextArea slds-text-longform tile__title red-txt">userPrincipalName</SPAN></SPAN>, then it will list the group members in UPN format.&nbsp; <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CpgcCAC&amp;lang=en_US%E2%80%A9" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CpgcCAC&amp;lang=en_US%E2%80%A9</A>&nbsp; The users in the group will match your SAML format.</P> <P>&nbsp;</P> <P>Maybe you cannot do that because you have other User-ID sources currently working with group mapping.&nbsp; If this is the case, you are on the right track to get your usernames standardized in the right format.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Wed, 17 May 2023 09:59:43 GMT TomYoung 2023-05-17T09:59:43Z https://live.paloaltonetworks.com/t5/general-topics/user-id-rules/m-p/542264#M111080 <P>Hi Team,</P> <P>We have implemented SAML authentication for GP users. Since then the Source User logs are being seen as email IDs and not with the SAMACCOUNTNAME. So the rules implemented with the LDAP user groups are not working. Is there any way we can get this sorted?</P> <P>Regards,</P> <P>Sanjay S</P> Tue, 16 May 2023 07:01:34 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-rules/m-p/542264#M111080 Sanjay_Ramaiah 2023-05-16T07:01:34Z https://live.paloaltonetworks.com/t5/general-topics/user-id-rules/m-p/542297#M111086 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/249853">@Sanjay_Ramaiah</a> ,</P> <P>&nbsp;</P> <P>What do you have configured for your Primary Username under Device &gt; User Identification &gt; Group Mapping Settings &gt; User and Group Attributes?</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TomYoung_0-1684235448163.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50181i8F18DA02DD147908/image-size/medium?v=v2&amp;px=400" role="button" title="TomYoung_0-1684235448163.png" alt="TomYoung_0-1684235448163.png" /></span></P> <P>&nbsp;</P> <P>That should fix the problem.&nbsp; If not, there are a couple other options:</P> <P>&nbsp;</P> <OL> <LI>Many SAML providers allow you to change the username format in their configuration.</LI> <LI>Normally, you could adjust the User Domain and Username Modifier fields in the authentication profile, but SAML is different.&nbsp; I wonder if modifying the User Attributes in SAML Messages from IDP would fix it?</LI> </OL> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> <P>&nbsp;</P> <P>Edit:&nbsp; Forgot to post URL -&gt; <A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/user-identification/device-user-identification-group-mapping-settings" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/user-identification/device-user-identification-group-mapping-settings</A>.</P> <P>&nbsp;</P> Tue, 16 May 2023 19:48:32 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-rules/m-p/542297#M111086 TomYoung 2023-05-16T19:48:32Z https://live.paloaltonetworks.com/t5/general-topics/user-id-rules/m-p/542421#M111106 <P>Thank you very much Tom for your reply.</P> <P>In the Group Mapping we have configured the Server Profile with the PrimaryUsername as SAMACCOUNTNAME itself. After we started using SAML it will not check the Group Mappings right so now we are facing this issue.</P> <P>&nbsp;</P> <P>As you suggested will check at the SAML Provider end to see if we can make some changes. Will keep this chain updated. Thanks again <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 17 May 2023 07:30:25 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-rules/m-p/542421#M111106 Sanjay_Ramaiah 2023-05-17T07:30:25Z https://live.paloaltonetworks.com/t5/general-topics/user-id-rules/m-p/542451#M111111 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/249853">@Sanjay_Ramaiah</a> ,</P> <P>&nbsp;</P> <P>If you change the Primary Username to <SPAN><SPAN class="richTextArea slds-text-longform tile__title red-txt">userPrincipalName</SPAN></SPAN>, then it will list the group members in UPN format.&nbsp; <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CpgcCAC&amp;lang=en_US%E2%80%A9" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CpgcCAC&amp;lang=en_US%E2%80%A9</A>&nbsp; The users in the group will match your SAML format.</P> <P>&nbsp;</P> <P>Maybe you cannot do that because you have other User-ID sources currently working with group mapping.&nbsp; If this is the case, you are on the right track to get your usernames standardized in the right format.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Wed, 17 May 2023 09:59:43 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-rules/m-p/542451#M111111 TomYoung 2023-05-17T09:59:43Z