Azure AD + Globalprotect = unable to filter the client settings

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure AD + Globalprotect = unable to filter the client settings

L2 Linker



I have a Pa-850 running 10.1.8 and globalprotect 5.2.6-87.


My issue appears whenever I try to assign different "Agent->Client settings" at the gateway level based on an AD group.

The portal is configured to authenticate against Azure AD using SAML. Later the gateway is also configured to authenticate against Azure SAML.

Our local PaloAlto partner suggested configuring the gateway to authenticate against our local LDAP. When I do so, global protect client fails to authenticate the user and a prompt is shown waiting for a user and password.


Any ideas or suggestions about what I might be doing wrong?

many thanks







Hi @JoseCortijo ,

First let me clarify GP portal/gateway authentication and GP portal/gateway agent config are two different thinks. Speaking in correct terminology those are authentication and authorization:

- Azure AD over SAML will provide user authentication

- GP portal/gateway Agent -> client settings based on AD group could be considered as authorization - different GP config and IP range based on group membership.


Group membership checking is done by Group Mapping. Until PanOS 10.1, FW was supporting only LDAP queries for collecting groups and group membership from local AD. You can use LDAP for GP authentication and group mapping, but it is not required. You should be able to use SAML for authentication and LDAP for group mapping.


If you already use AzureAD I would suggest you to consider Learn About the Cloud Identity Engine (

Running PanOS 10.1+ you can Cloud Identity Engine (CIE) for group mapping as well. Basically your set up would be:

1. Activate and create Cloud Identity Engine app

2. Connect CIE with your AzureAD

3. Configure your FW to use the CIE. This will allow FW to collect group mapping from CIE and will not require LDAP profile

4. Configure AzureAD for SAML authentication to GP portal and gateway

5. Configure GP agent client config based on AD groups from CIE

Hi @aleksandar.astardzhiev ,

thanks a lot for the clarification and nice to know about CIE. Unfortunately I cannot move to CIE at the moment.


Our fw are running 10.1.8 so I should be able to authenticate with SAML and authorize with LDAP, but unfortunately, it does not work. Could you help me to troubleshoot what is failing? I went through global protect logs but found nothing that caught my attention.

In the fw side I don't know where I could find some debug information related to the issue. 


Any suggestion?

Do you think it would be a good idea go up to 10.2 version? might it help with this issue?



Hi @JoseCortijo ,

It is not necessary to move to newer versions, SAML authentication + LDAP group mapping is supported and working solution for very long time and moving to 10.2 would bring benefit - in my personal opinion.


If you dig around the forum you could find that the most common problem is the username format that SAML provide when authenticating the user and creating user-ip-mapping and the username format provided by the group mapping.


I would expect that SAML is using userPrincipleName (UPN) format - you should be able to confirm this by:

- Checking your GP logs, what is the username from the logs?

- Checking your User-ID logs

- Under the definition for the Enterprise Application in AzureAD (Enterprise Applications -> <your-gp-saml-app> -> Single sign-on -> Attributes and & Claims

- Under the Authentication Profile, check what you are using for username attribute (should be username by default)


For the Group mapping you probably collect only sAMAccountName (SAM) as primary user attribute. You should be able to confirm by:

- Check your group mapping profile (Device -> User Identification -> Group Mapping -> <your-profile> -> User and Group Attributes

- Check under CLI how FW is listing group members
> show user group list | match <test-group>

> show user group name "<full-group-dn-from-above-command>"


As you can see in the Group Mapping profile you can define three alternative username attributes. This is because since several PanOS versions, FW is capable to use multiple user attributes and successfully map all to the same user. You can check all the attributes that FW is able to collect under CLI:

> show user user-attributes user <username>

In addition you may need to check if FW is able to collect All about User-ID domain map - Knowledge Base - Palo Alto Networks

It is important for the FW to be able to correctly map domain name in FQDN and NetBios format.



As summary:
- What format are you seeing the username after SAML authentication?

- Do you see the same attribute already collected by Group Mapping  (> show user user-attributes user )?
- Does FW correctly collect User-ID domain map?

L3 Networker

@aleksandar.astardzhiev I am having the same problem and you summarized it perfectly.

I have a group condition under GP Portal > Agent >  Config Selection Criteria > User/User Group.


My SAML is using user.userprincipalname.

My LDAP is using sAMAccountName and I have also added userPrincipalName under Alternate Username 1 under the Group Mapping settings on firewall.

Now when the user tries to login to GP, the SAML auth succeeds but still cannot connect because the portal does not identify the user as a member of the group mentioned in the group condition above GP Portal > Agent >  Config Selection Criteria > User/User Group.


How to resolve this? 

Hi @rjdahav163 ,

Once you add UPN as alternative user attribute in GP you probably need to way for the next group-map to happen.

If it still not working. Can you share the following:


# Content of the group that is used in GP config
> show user group name "<cn-group>"

# Check if FW is able to associate different user formats
> show user user-attributes user <>@<domain>

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!