topic Re: Identify users (UIA) authenticating with SAML in General Topics

Identify users (UIA) authenticating with SAML

BigPalo — Mon, 22 Sep 2025 13:42:02 GMT

HI,

We have some users authenticating with SAML (EntraID) but these users are not being identifing in UIA. Is possible to get the info in UIA and palo about users authenticating in SAML?

any idea or KB?

Re: Identify users (UIA) authenticating with SAML

BPry — Mon, 22 Sep 2025 14:41:41 GMT

@BigPalo,

When you say that they're authenticating, do you mean that you're using SAML with Entra for something like GlobalProtect or an authentication policy or authenticating to the device through a hybrid or Entra-joined endpoint? I'm going to assume the later at the moment and if that's the case, you'll want to look into Cloud Identity Engine that handles this sort of thing.

Re: Identify users (UIA) authenticating with SAML

BigPalo — Tue, 23 Sep 2025 14:14:21 GMT

I explain you better

We have devices that are not in the on-premises domain and are using Azure AD. Authentication is OK but PA doesnt have the group belongs users since its not recognised.
These devices connect to Wi-Fi and are validated with a Wi-Fi certificate (CISCO ISE). Once access to the Wi-Fi network is granted, they register with the UIA, and Palo Alto has the mapping for these users.

The problem is that some devices are not configured and attack Azure AD directly. These devices are not recognized by Palo Alto or the UIA and do not match the group rules (obviously).

The question is how Palo Alto and UIA can integrate with Azure AD to also access information about users who log in there and be able to create rules for groups.