06-17-2024 05:16 PM
I am trying to see how I can get the Cloud Identity Engine to match Global Protect SSO (Also from Azure AD/Entra) upn for the user. I have a sister company that I have invite certain users in as external guests and added them to aad groups, which is assigned to allow them to connect to AAD enterprise app for Saml SSO. But CIE will return different upn than what the sso returns back to the palo alto. I honestly do not care which one of these formats it uses, as long as they consistent matches. The main issue is the CIE and the global protect logins don't match for the same user, so its not possible to tie the user to the AAD groups CIE populates.
Global protect will identify the user like jwoodman@example.com and CIE will be jwoodman_example_com#ext#@example2.onmicrosoft.com
While if the user have mail setup, you could go off that. But this being a sister company, we have some of these users already setup as contacts, and it will not allow those users to save there email address. It says there is already a proxy addresses. Instead it places there email address in the other mail property. I'm assuming I need to go the route of setting up Azure AD/Entra SAML transformations for the nameidentifier, as I don't see a way of changing the Cloud Identity Engine behavior. Curious if anyone has done this before.
Thanks.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
