01-29-2023 01:02 PM - edited 01-29-2023 01:03 PM
Domain joined PC, ADFS in environment, Hybrid Azure AD setup, Authentication policy o n Palo setup to use CIE(Cloud Identity Engine) with identities synced from Azure AD and On-Prem AD
When ever I am clearing user ip mapping from the cache and try to test. I can see that authentication policy gets hit as captive portal redirect happens. But it does not prompt for authentication and instead redirects back to the website.
Firewall shows it learned identity from SSO. I want to block this and want it to trigger authentication.
10.92.16.100 is the firewall management IP
02-14-2023 01:30 AM - edited 02-14-2023 01:32 AM
If you use the CIE with SCIM connector woudn't the CIE just pull the date from Azure AD and then feed it to your firewalls and no matter what you will have user to ip mapping?
Also if you use SAML on the Firewalls the same will happen where when the user Authinticates to the Azure AD with SAML then the SAML Assertion will be just trusted by the firewall when it is signed with the Azure AD SSL cert and this assertion has a username and ad groups atrributes that the Firewall will auto ingest.
Also just in case you need to clear not only the Data plane cache but also the managment plane user-id cache:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clq8CAC
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
