02-06-2022 12:50 AM
Hello all,
the following problem:
A Sub-AD-Domain in a forest with different domains at samAccountName and userPrincipalName.
samAccountName: domain01\user01
userPrincipalName: user01@domain02.com
Dial-in with Global Protect via SAML with user01@domain02.com
PA recognizes user as user01@domain02.com. All rules based on User-ID don't work, because PA can't recognize the user (logically) via the existing Group Mapping (User Domain = domain01):
My idea was to add another Group Mapping which additionally picks up the "domain02.com":
But unfortunately User-ID spins completely after that. Sometimes a user is recognized, sometimes not. Total chaos.
Does anyone know how to solve this?
02-07-2022 04:38 AM
try setting your LDAP profile to port 3268 so you use the global catalog rather than the default ldap, this should help you create multiple group mappings for all your domains
02-07-2022 04:38 AM
try setting your LDAP profile to port 3268 so you use the global catalog rather than the default ldap, this should help you create multiple group mappings for all your domains
02-08-2022 04:55 AM
Great! Working. Thank you so much!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
