I have Cloud Identity Engine synced to Azure AD and see both groups and users in the hub. I configured a firewall to use CIE, but it doesn't appear to be working. I can see the groups and select them in policies, but no users from those groups are seen on the firewall. "show user cloud-identity-engine client stat" shows groups, but they show as unmapped (not sure if it should show mapped). "show user cloud-identity-engine status all" shows the name of the directory APP, but all stats are 0 or say never. Same with "show user cloud-identity-engine statistics all". Any help would be appreciated.
I was able to get Cloud Identity Engine working on the firewall. I changed the service interface for "Palo Alto Network Services" to use the outside interface instead of the default management interface. This didn't work at first until I removed the Cloud Identity Engine config on the firewall and re-added it.
With that being said, my new issue is that the CIE group doesn't seem to work for GlobalProtect portal config for agent match criteria. I am able to configure it, but it doesn't seem to work for matching the user even though I see the user and group information on the firewall through CLI which looks correct.
Thanks for the reply. The error I see is that the user didn't match a policy in the portal.
I have two users in the Azure group that is seen on the firewall via CIE. One user synced from on-prem has the email as the UPN and the other user is a guest in Azure and has a guestuser_email.com#EXTfirstname.lastname@example.org UPN. The users have to log in with email address format to Azure via SAML which works for both users. The on-prem user can map to a portal policy, but guest user cannot. The on-prem user appears in the group with email (same as login), but the guest user shows as UPN which isn't the same as the email login format.
Even though the guest user shows as UPN in the group, the email address used for login is an alternative user id and therefore should be able to map the user to the group referenced in the portal policy. I believe that should be the case.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!