Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-28-2021 11:33 AM
Hi All, I am able to authenticate users against the portal with SAML and Azure AD all good. Since I can't pull groups from Azure I'm using LDAP for the portal and policies also working. The issue is that the user from Azure is coming down to the firewall as doman.local\user while on prem LDAP is just domain\user. Any way to drop the .local at the firewall or has it to be done in Azure? and if Azure how 🙂 Thanks
06-28-2021 11:58 AM
There it is 😉
In the azure SAML config for global protect you need to alter the claim for username to the following:
username = Join (user.netbiosname, "\", user.onpremisessamaccountname)
This can be done by editing the usename claim details and choosing this from the various options that are presented there.
06-28-2021 12:21 PM
I have no idea where this is documented right now. I was told this by TAC support. In my situation the user was showing up correctly in the logs and so the machting for security policy rules was working fine but in the global protect configuration when I tried to create userbased configs I had to add the users in domain.local\username format and so the AD groups were not working. Then in TAC proposed this solution (as they found out this in another case from another customer) and this did the trick for me - and almost certainly will also do for you.
06-28-2021 11:46 AM
Hi @Pasquale01
This has to be done in azure.
I need to search the details on how to configure this ...
06-28-2021 11:58 AM
There it is 😉
In the azure SAML config for global protect you need to alter the claim for username to the following:
username = Join (user.netbiosname, "\", user.onpremisessamaccountname)
This can be done by editing the usename claim details and choosing this from the various options that are presented there.
06-28-2021 12:16 PM
That's great, can you point me to where that is documented?
06-28-2021 12:21 PM
I have no idea where this is documented right now. I was told this by TAC support. In my situation the user was showing up correctly in the logs and so the machting for security policy rules was working fine but in the global protect configuration when I tried to create userbased configs I had to add the users in domain.local\username format and so the AD groups were not working. Then in TAC proposed this solution (as they found out this in another case from another customer) and this did the trick for me - and almost certainly will also do for you.
06-28-2021 12:23 PM
Ah...I see thank you for the responce. I'll let you know if it worked.
10-20-2021 02:50 AM
@Remo
hi, I have same issue and want to control user sessions by user group.
I want to ask you is that you have on-premise AD on your site and sync with AAD?
https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0
According to the link above (section is for "onPremisesSamAccountName"), it sounds I need on-premise AD, but I don't have..
If we only have AAD, do you know any other solution? (Maybe I should try CIE, new from palo alto. though not sure it retrieves user group from AAD)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
