Not able to normalize UPN name retrieved from SAML assertion

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Not able to normalize UPN name retrieved from SAML assertion

Hi Team,


We have configured SAML SSO authentication for Global protect. Microsoft Azure has the active directory we have configured it as identity provider and service provider as Palo alto global protect. Trust established between Idp and SP and we are able to authenticate portal using microsoft azure. 


But the problem in allowing list in authentication profile and user/user group in Global protect gateway, When azure signs the SAML assertion from Palo alto it authenticates and sends the SAML response as UPN name from the username attribute in azure.


Palo alto retived this UPN name and allowing the global protect portal and gateway configuraion only if we set the allowlist to any and user/user group to any. If we specify the username in UPN format or domain name format it is not able to validate the username and throws an error while connecting to gateway as "Matching client config not found".


palo alto says you cannot configure the firewall to modify the domain/username string that a user enters during SAML logins, the login username must exactly match an Allow List entry.


But when I configure this UPN name as a match in allowlist or user/user group it is not matching and working. Group mapping also not working in this case as server profile will normalize only for AD.


Is there a way to normalize UPN name to domain format or any other way to restrict the allowlist in authentication profile and user/user group in gateway.


Please let me know if you need more information. 





Cyber Elite
Cyber Elite

we also have similar issue.


Cyber Elite
Cyber Elite

can we talk on this please?


my email address is


L0 Member

I ran into this issue as well and had to open a case with TAC. Turns out that you just have to specify the userPrincipalName as the primary username attribute within the Group Mapping profile. I also choose to specify the sAMAccountName as the alternate username attribute. Once this was configured, I could use AD groups in the GW client config.


Support for multiple username formats was added in 8.1:




Thanks for letting us know.

Will test this in our environment.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!