https://live.paloaltonetworks.com/t5/general-topics/saml-adfs-for-globalprotect/m-p/172441#M54406 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/18904">@Kashif_Noor</a></P><P>&nbsp;</P><P>Why don't you just try this to see if it works? Because I would be interested too <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>&nbsp;</P><P>But now something hopefully more helpful:</P><OL><LI>As it is also possible with RADIUS, I assume that it will also work with SAML. But it's more a two way communication. One part is to have your firewall connecting to your LDAP directory to get the group mappings and also to be able to use LDAP groups in your policy or in your global protect gateway. If you there configured SAML as authentication, your IdP will tell the firewall which user just logged in and the firewall is able to check to what synchronized groups this user belongs to</LI><LI>For pre-logon you can only use a certificate profile, because at that stage the certificate is the only thing which is available without user-interaction. But SAML can then be used afterwards for userlogin, as described somehow in point 1 to apply user/group based policies/configurations.</LI></OL> Mon, 21 Aug 2017 18:13:05 GMT Remo 2017-08-21T18:13:05Z https://live.paloaltonetworks.com/t5/general-topics/saml-adfs-for-globalprotect/m-p/172240#M54393 <P>Hi,</P><P>Is someone able to shed some ligh on the below.</P><P>&nbsp;</P><P><SPAN>1. Can SAML be used to map to an LDAP group, if so is there guidance?</SPAN><BR /><SPAN>2. Does PAN&nbsp;support using SAML AND prelogon/alwayson with GP?</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>Thanks</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 18 Aug 2017 15:42:20 GMT https://live.paloaltonetworks.com/t5/general-topics/saml-adfs-for-globalprotect/m-p/172240#M54393 Kashif_Noor 2017-08-18T15:42:20Z https://live.paloaltonetworks.com/t5/general-topics/saml-adfs-for-globalprotect/m-p/172428#M54394 <P>This question was posted in the wrong area.&nbsp;</P> <P>I am moving this to the General Discussion area.</P> Mon, 21 Aug 2017 16:51:59 GMT https://live.paloaltonetworks.com/t5/general-topics/saml-adfs-for-globalprotect/m-p/172428#M54394 jdelio 2017-08-21T16:51:59Z https://live.paloaltonetworks.com/t5/general-topics/saml-adfs-for-globalprotect/m-p/172441#M54406 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/18904">@Kashif_Noor</a></P><P>&nbsp;</P><P>Why don't you just try this to see if it works? Because I would be interested too <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>&nbsp;</P><P>But now something hopefully more helpful:</P><OL><LI>As it is also possible with RADIUS, I assume that it will also work with SAML. But it's more a two way communication. One part is to have your firewall connecting to your LDAP directory to get the group mappings and also to be able to use LDAP groups in your policy or in your global protect gateway. If you there configured SAML as authentication, your IdP will tell the firewall which user just logged in and the firewall is able to check to what synchronized groups this user belongs to</LI><LI>For pre-logon you can only use a certificate profile, because at that stage the certificate is the only thing which is available without user-interaction. But SAML can then be used afterwards for userlogin, as described somehow in point 1 to apply user/group based policies/configurations.</LI></OL> Mon, 21 Aug 2017 18:13:05 GMT https://live.paloaltonetworks.com/t5/general-topics/saml-adfs-for-globalprotect/m-p/172441#M54406 Remo 2017-08-21T18:13:05Z