04-15-2025 02:18 AM
Hi,
I would like to configure SAML for my GP authentication and I would also like to be able to assign IPs by user groups and configure rules for these remote users by user groups.
Does anyone know if this is possible? how can match users received from SAML with LDAP mapping?
04-15-2025 07:56 PM
Hi @BigPalo ,
"Does anyone know if this is possible?" Yes, I do it in my company.
"How can match users received from SAML with LDAP mapping?" Obviously, you must have the same usernames in your LDAP directory. In order for group mapping to work, the username in the "show user ip-user-mapping all" command must match exactly with the username in the "show user group name "<group_name_from_show_user_group_list>" command.
Changing the User Domain under Device > User Identification > Group Mapping Settings caused the GP SAML usernames to change from user@domain.com to domain\user so that the LDAP groups would work. All other fields remained the default (except the Update Interval).
Thanks,
Tom
05-29-2025 08:38 AM
Thank you, yes this worked by changing the user domain to match the SAML, I also had to update the Portal, agent profile to use the same format for identifying users. However what happens is that now when you attempt to access any resources you are seen by this domain\username, and with any rules that have been configured with the original on-prem domain, they no longer match. So we would have to change all rules that have the original domain format to the new userid format. This is quite a big task.
Also what I found was that if you use a group within the agent profile for identification does not work, using either the domain\groupname or the cn of the groupname.
05-29-2025 09:06 AM - edited 05-29-2025 09:13 AM
Hi @D.Maas ,
So we would have to change all rules that have the original domain format to the new userid format. This is quite a big task.
You can quickly do it via the CLI and a regex text editor.
> set cli config-output-format set
> configure
# show rulebase security | match source-user
If you have a regex text editor you can copy the output and quickly change $username@domain.com to domain\$username for all your users. Paste into the CLI. You can have both formats for a period of transition. To delete the original formats, change the original set to delete and paste. If the users now match groups, you can use the group instead.
Also what I found was that if you use a group within the agent profile for identification does not work, using either the domain\groupname or the cn of the groupname.
I have tested groups in the portal agent config before. Converting the format is the 1st step to the users matching groups. Did you try the commands I mentioned above? The username must match exactly. Here they are again. Substitute the bogus group name with yours.
> show user ip-user-mapping all
> show user group list
> show user group name "cn=it_operations,cn=users,dc=al,dc=com"
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
