Azure AD GlobalProtect Clientless Portal / SAML Domain issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Azure AD GlobalProtect Clientless Portal / SAML Domain issue

L1 Bithead

Hi All, I am able to authenticate users against the portal with SAML and Azure AD all good. Since I can't pull groups from Azure I'm using LDAP for the portal and policies also working. The issue is that the user from Azure is coming down to the firewall as doman.local\user while on prem LDAP is just domain\user. Any way to drop the .local at the firewall or has it to be done in Azure?  and if Azure how 🙂  Thanks

2 accepted solutions

Accepted Solutions

L7 Applicator

There it is 😉

In the azure SAML config for global protect you need to alter the claim for username to the following:

username = Join (user.netbiosname, "\", user.onpremisessamaccountname)

 

This can be done by editing the usename claim details and choosing this from the various options that are presented there.

View solution in original post

I have no idea where this is documented right now. I was told this by TAC support. In my situation the user was showing up correctly in the logs and so the machting for security policy rules was working fine but in the global protect configuration when I tried to create userbased configs I had to add the users in domain.local\username format and so the AD groups were not working. Then in TAC proposed this solution (as they found out this in another case from another customer) and this did the trick for me - and almost certainly will also do for you.

View solution in original post

6 REPLIES 6

L7 Applicator

Hi @Pasquale01 

This has to be done in azure.

I need to search the details on how to configure this ...

L7 Applicator

There it is 😉

In the azure SAML config for global protect you need to alter the claim for username to the following:

username = Join (user.netbiosname, "\", user.onpremisessamaccountname)

 

This can be done by editing the usename claim details and choosing this from the various options that are presented there.

That's great, can you point me to where that is documented?

I have no idea where this is documented right now. I was told this by TAC support. In my situation the user was showing up correctly in the logs and so the machting for security policy rules was working fine but in the global protect configuration when I tried to create userbased configs I had to add the users in domain.local\username format and so the AD groups were not working. Then in TAC proposed this solution (as they found out this in another case from another customer) and this did the trick for me - and almost certainly will also do for you.

Ah...I see thank you for the responce. I'll let you know if it worked. 

L5 Sessionator

@Remo 
hi, I have same issue and want to control user sessions by user group.

I want to ask you is that you have on-premise AD on your site and sync with AAD?

 

https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0

According to the link above (section is for "onPremisesSamAccountName"), it sounds I need on-premise AD, but I don't have..

 

If we only have AAD, do you know any other solution? (Maybe I should try CIE, new from palo alto. though not sure it retrieves user group from AAD)

 

  • 2 accepted solutions
  • 5159 Views
  • 6 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!