This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
AzureAD Group Mapping for GP
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- Network Security
- GlobalProtect Discussions
- AzureAD Group Mapping for GP
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-23-2020 08:43 PM
Hello,
We're currently implementing GlobalProtect with SAML Authentification to AzureAD only (no hybrid) based on groups for easier management.
Example :
Groupe1 is given an IP_Pool1 IP with access to subnet1
Groupe2 is given an IP_Pool2 IP with access to subnet 1 and 2
As of today, we didn't find any way to do it properly and from what we've seen online it may not be supported at all without any third party or on-prem AD.
Did any of you ran into that issue before and did you find the solution?
Thanks.
10 REPLIES 10
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-25-2020 09:41 PM
Will do - thanks for you input.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-17-2021 10:45 AM
Yeah that is what i found as well. What i ended up doing, on an ASA, is authenticating my users to Azure, but then using secondary authorization to the internal AD user to map the users to specific groups.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-23-2021 11:40 AM
Here you go:
tunnel-group NA_Azure_SAML type remote-access
tunnel-group NA_Azure_SAML general-attributes
address-pool VPN_Pool_1
authorization-server-group AAA-VPN-Users
default-group-policy NoAccess
tunnel-group NA_Azure_SAML webvpn-attributes
authentication saml
group-alias VPN-Secured enable
without-csd
saml identity-provider https://sts.windows.net/numbers......./
!
So the process is it authenticates to Azure SAML, but authorization is AAA-VPN-Users (which is AD). it looks for a security group tied to the end user and then maps that security group to a policy group on the ASA. This took awhile for me to figure out and get working. But saved me a lot of work in the long run because we have so many policy group mappings to security groups.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-23-2021 01:39 PM - edited 09-23-2021 01:47 PM
Hi @SBI_INFRASTRUCTURE ,
I believe the Cloud Identity Engine can now get groups from AzureAD.
Thanks,
Tom
Help the community: Like helpful comments and mark solutions.
Related Content
- Separate IP pool config for two departments when connecting to global protect in GlobalProtect Discussions
- Agent Client Settings user name match when SAML in GlobalProtect Discussions
- Multiple GlobalProtect profiles based on LDAP groups in Next-Generation Firewall Discussions
- Unable to authenticate user to GlobalProtect using OpenLDAP in GlobalProtect Discussions
- User-id & group information miss mapping issue in Next-Generation Firewall Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks