Consuming user group in GlobalProtect SAML Authentication

Reply
L0 Member

Consuming user group in GlobalProtect SAML Authentication

A bit of background: We are an all-Google G Suite company. We do not have internal LDAP servers. Everyone auths to Google. We are using PA 3060s as our firewalls and VPN systems.

 

We are getting ready to turn on SAML authentication for GlobalProtect. We are using Google as our IdP.

 

I've gotten it working, but I want to make policy decisions based on the user group that we are returning in the SAML assertion.

 

In Google, I have a user attribute with a "role" specified for each user, and then we are passing this back to the firewalls via a attribute mapping in our SAML App definition in Google.

 

Within the SAML authentication profile in the firewalls, I have set the User Group attribute to "role", and when I connect to the portal through Burp Suite, I see a SAML "role" attribute being returned from Google and asserted to the firewalls.

 

However, I have not found a way to use this "role" attribute in client IP pool assignments or in making policy decisions. I have tried making a local group that matches the "role" value, but that does not work.

 

Has anyone done this, or have any insight on this?

 

Regards,

 

Mark

Tags (2)
L7 Applicator

Re: Consuming user group in GlobalProtect SAML Authentication

Hi @mtsujihara

 

I don't know it this user-group-mapping fof SAML users is possible. Probably not because the default group-mapping in the WebUI requires an LDAP profile.

But may be you should give this a try for the creation of groups and containing users: https://www.paloaltonetworks.com/documentation/80/pan-os/xml-api/pan-os-xml-api-request-types/apply-...

L0 Member

Re: Consuming user group in GlobalProtect SAML Authentication

Hi @mtsujihara

 

Could you please show me how to configure PA using Google SAML as IdP?

 

Thank you in advance,

 

Regards,

 

Army

L1 Bithead

Re: Consuming user group in GlobalProtect SAML Authentication

I've gotten GSuite SAML2.0 working and have GSuite configured to send the user's "Department" as the "group" attribute. In the PA, I have the "User Group Attribute" set the "group". As the OP says, I don't see that I can use the "group" value anywhere (policies, etc).

 

Has anyone gotten this to work?

 

L7 Applicator

Re: Consuming user group in GlobalProtect SAML Authentication

@MikeTewner,

The firewall won't let you use that attribute the same as you would with an LDAP group. The link that @vsys_remo provided describes how you could probably script this to assign users to different groups using the xml-api and how you would format the input file that you would need to put together for this. 

I would recommend reaching out to your SE and setting up a feature request. 

L7 Applicator

Re: Consuming user group in GlobalProtect SAML Authentication

@MikeTewner

It depends on how much you really need this group mapping for SAML authenticated users ... it will be a bit of work

 

  1. Set up a webserver
  2. Create a log forwarding profile for system logs that applies for global protect login and logout logs and send these logs to your webserver
  3. Create a web application on your webserver that processes these http request with the logs from your firewall
  4. For every log that the webserver receives your web application needs to push that information to the firewall API to create dynamic User-IP-Group mappings and also delete them when a user logs out

4 "simple" steps and you have implemented what you need :P

 

But I recommend the feature request anyway ...

L1 Bithead

Re: Consuming user group in GlobalProtect SAML Authentication

Thank you @vsys_remo and @BPry for the help! This is one of the last services still stuck on our ActiveDirectory - I'll put in the feature request and live with it for a bit longer.

 

Just an aside for anyone else with this issue - Perhaps JumpCloud can help in this case.

 

-Mike

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!