https://live.paloaltonetworks.com/t5/general-topics/not-able-to-normalize-upn-name-retrieved-from-saml-assertion/m-p/288977#M76910 <P>Hi Team,</P><P>&nbsp;</P><P>We have configured SAML SSO authentication for Global protect. Microsoft Azure has the active directory we have configured it as identity provider and service provider as Palo alto global protect. Trust established between Idp and SP and we are able to authenticate portal using microsoft azure.&nbsp;</P><P>&nbsp;</P><P>But the problem in allowing list in authentication profile and user/user group in Global protect gateway, When azure signs the SAML assertion from Palo alto it authenticates and sends the SAML response as UPN name from the username attribute in azure.</P><P>&nbsp;</P><P>Palo alto retived this UPN name and allowing the global protect portal and gateway configuraion only if we set the allowlist to any and user/user group to any. If we specify the username in UPN format or domain name format it is not able to validate the username and throws an error while connecting to gateway as "Matching client config not found".</P><P>&nbsp;</P><P>palo alto says&nbsp;<STRONG>you cannot configure the firewall to modify the domain/username string that a user enters during SAML logins, the login username must exactly match an Allow List entry.</STRONG></P><P>&nbsp;</P><P>But when I configure this UPN name as a match in allowlist or user/user group it is not matching and working. Group mapping also not working in this case as server profile will normalize only for AD.</P><P>&nbsp;</P><P>Is there a way to normalize UPN name to domain format or any other way to restrict the allowlist in authentication profile and user/user group in gateway.</P><P>&nbsp;</P><P>Please let me know if you need more information.&nbsp;</P><P>&nbsp;</P><P>Regards</P><P>Venky</P> Wed, 18 Sep 2019 18:09:00 GMT Venkatesan_radhakrishnan 2019-09-18T18:09:00Z https://live.paloaltonetworks.com/t5/general-topics/not-able-to-normalize-upn-name-retrieved-from-saml-assertion/m-p/288977#M76910 <P>Hi Team,</P><P>&nbsp;</P><P>We have configured SAML SSO authentication for Global protect. Microsoft Azure has the active directory we have configured it as identity provider and service provider as Palo alto global protect. Trust established between Idp and SP and we are able to authenticate portal using microsoft azure.&nbsp;</P><P>&nbsp;</P><P>But the problem in allowing list in authentication profile and user/user group in Global protect gateway, When azure signs the SAML assertion from Palo alto it authenticates and sends the SAML response as UPN name from the username attribute in azure.</P><P>&nbsp;</P><P>Palo alto retived this UPN name and allowing the global protect portal and gateway configuraion only if we set the allowlist to any and user/user group to any. If we specify the username in UPN format or domain name format it is not able to validate the username and throws an error while connecting to gateway as "Matching client config not found".</P><P>&nbsp;</P><P>palo alto says&nbsp;<STRONG>you cannot configure the firewall to modify the domain/username string that a user enters during SAML logins, the login username must exactly match an Allow List entry.</STRONG></P><P>&nbsp;</P><P>But when I configure this UPN name as a match in allowlist or user/user group it is not matching and working. Group mapping also not working in this case as server profile will normalize only for AD.</P><P>&nbsp;</P><P>Is there a way to normalize UPN name to domain format or any other way to restrict the allowlist in authentication profile and user/user group in gateway.</P><P>&nbsp;</P><P>Please let me know if you need more information.&nbsp;</P><P>&nbsp;</P><P>Regards</P><P>Venky</P> Wed, 18 Sep 2019 18:09:00 GMT https://live.paloaltonetworks.com/t5/general-topics/not-able-to-normalize-upn-name-retrieved-from-saml-assertion/m-p/288977#M76910 Venkatesan_radhakrishnan 2019-09-18T18:09:00Z https://live.paloaltonetworks.com/t5/general-topics/not-able-to-normalize-upn-name-retrieved-from-saml-assertion/m-p/289000#M76912 <P>we also have similar issue.</P> Wed, 18 Sep 2019 19:38:24 GMT https://live.paloaltonetworks.com/t5/general-topics/not-able-to-normalize-upn-name-retrieved-from-saml-assertion/m-p/289000#M76912 MP18 2019-09-18T19:38:24Z https://live.paloaltonetworks.com/t5/general-topics/not-able-to-normalize-upn-name-retrieved-from-saml-assertion/m-p/289001#M76913 <P>can we talk on this please?</P><P>&nbsp;</P><P>my email address is mahesh@shaw.ca</P> Wed, 18 Sep 2019 19:41:25 GMT https://live.paloaltonetworks.com/t5/general-topics/not-able-to-normalize-upn-name-retrieved-from-saml-assertion/m-p/289001#M76913 MP18 2019-09-18T19:41:25Z https://live.paloaltonetworks.com/t5/general-topics/not-able-to-normalize-upn-name-retrieved-from-saml-assertion/m-p/303039#M78914 <P>I ran into this issue as well and had to open a case with TAC. Turns out that you just have to specify the userPrincipalName as the primary username attribute within the Group Mapping profile. I also choose to specify the sAMAccountName as the alternate username attribute. Once this was configured, I could use AD groups in the GW client config.</P><P>&nbsp;</P><P>Support for multiple username formats was added in 8.1:</P><P><A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/user-id-features/support-for-multiple-username-formats.html" target="_blank">https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/user-id-features/support-for-multiple-username-formats.html</A></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rgarcia565_0-1576007929434.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/22945i7F0C5BDF6C267234/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="rgarcia565_0-1576007929434.png" alt="rgarcia565_0-1576007929434.png" /></span></P><P>&nbsp;</P> Tue, 10 Dec 2019 22:05:08 GMT https://live.paloaltonetworks.com/t5/general-topics/not-able-to-normalize-upn-name-retrieved-from-saml-assertion/m-p/303039#M78914 rgarcia565 2019-12-10T22:05:08Z https://live.paloaltonetworks.com/t5/general-topics/not-able-to-normalize-upn-name-retrieved-from-saml-assertion/m-p/303341#M78965 <P>Thanks for letting us know.</P><P>Will test this in our environment.</P> Thu, 12 Dec 2019 05:24:51 GMT https://live.paloaltonetworks.com/t5/general-topics/not-able-to-normalize-upn-name-retrieved-from-saml-assertion/m-p/303341#M78965 MP18 2019-12-12T05:24:51Z