Consuming user group in GlobalProtect SAML Authentication

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Consuming user group in GlobalProtect SAML Authentication

L0 Member

A bit of background: We are an all-Google G Suite company. We do not have internal LDAP servers. Everyone auths to Google. We are using PA 3060s as our firewalls and VPN systems.

 

We are getting ready to turn on SAML authentication for GlobalProtect. We are using Google as our IdP.

 

I've gotten it working, but I want to make policy decisions based on the user group that we are returning in the SAML assertion.

 

In Google, I have a user attribute with a "role" specified for each user, and then we are passing this back to the firewalls via a attribute mapping in our SAML App definition in Google.

 

Within the SAML authentication profile in the firewalls, I have set the User Group attribute to "role", and when I connect to the portal through Burp Suite, I see a SAML "role" attribute being returned from Google and asserted to the firewalls.

 

However, I have not found a way to use this "role" attribute in client IP pool assignments or in making policy decisions. I have tried making a local group that matches the "role" value, but that does not work.

 

Has anyone done this, or have any insight on this?

 

Regards,

 

Mark

25 REPLIES 25

I have been attempting this with Azure SAML. Currently I don't see the group attribute being sent by Azure so I can't test what I was wanting to test.

 

I found a document that showed an example of Admin Role being used from SAML attribute where the role name matched a GlobalProtect admin role. I wondered if this same concept would work for an empty local user group on GlobalProtect. Even though I can't use the group attribute from SAML assertion, I can use an empty local user group and was hopeful that the group sent from SAML with the same name as a local user group would work the same way admin role assertion does.

 

Have you created an empty local group in GlobalProtect and put it in a VPN matching policy and see if the SAML group assertion with the same group name would trigger a policy match?

Hello Vicotr,

 

How did you setup Globalprotect to use ldap for some users and saml authentication for the others based on user group?

In out case when we use saml and ldap authentication profile, it always authenticates against ldap and doesnt get to the saml profile at all.

L5 Sessionator

For what it's worth, Palo innovated a SAML 2.0 group mapping ingestion service in PAN-OS 10.1. See more on the cloud identity engine here

Help the community! Add tags and mark solutions please.

L0 Member

Hi GREMAUDO,

 

I am trying to implement Okta with Palo Alto as well. But I can't get it to work by following your instructions. Could you please provide more details on how you configure the Palo Alto side, like the Auth profile settings.

 

Thanks

 

Leo

Hi,

 

Did you follow this document ? https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Palo-Alto-Networks-GlobalProtect.h...

 

It's the one I used to properly setup Okta + PAN.

 

Cheers.

do you have any more steps on how you did this?

I've been struggling all day trying to get this resolved and half of that time has been with TAC..

 

Are you authenticating, but not mapping correctly to AD (authorization)? If so, there is a chrome plugin that allows you to view the SAML assertion to verify the username matches the AD name as seen by the Palo Alto firewall. I provided a link to a site describing the tool. This was very useful when working with Cloud Identity Engine to get the names to match for Azure AD authorization for external users. I used the Chrome tool while logging into the portal web page.

For on-prem AD, we log in with user@company.com format. It just worked with the way AD was set up. For Azure external users, we had to update the Cloud Identity App to use the email address and not the EXT version of the username. It was different if you were already an Azure Tenant or not.

https://knowledge.broadcom.com/external/article/175051/how-to-gather-a-saml-trace.html

thank you for the response but i think it's fubar now it just sits and says connecting in Global Protect and eventually times out.

before this error i was getting "connection Failed" Matching client config not found.

I'll buy you a beer 

That does sound like an authorization error and could be username not matching issue. Do you also get authentication success before the matching client config message? In the PANOS CLI you can show the user and all alternate usernames. The SAML assertion has to match one of those. In the Azure external user scenario, I would log in successfully with one of the listed usernames (email address), but the SAML assertion coming back, didn't match any of them. It was the EXT version of external Azure users. This was unknown to me until I used the SAML Tracer tool while logging into the web portal.

what's puzzling me is i have an external URL that goes through the whole process i get the Azure login then i get the Duo authentication

and I'm presented with the Palo Alto page to down load the client. if i go into the PAN cli i can check the group and it's formatted with azure login format.

source type: ldap
source: Azure-Group

[1 ] testuser@domain.com

L0 Member

Hello,

For your information, I'm working on migrating my GP authentication from a legacy LDAP architecture to a cloud-based authentication using SAML.

So far, everything I've found indicates that it's not possible to use group or role attributes from SAML in any Policy or GP app configuration. I hope this information helps you.

"You can’t use group information that’s retrieved from the SAML assertion in either security policy rules or the GlobalProtect app configuration."

 

https://docs.paloaltonetworks.com/prisma-access/integration/authenticate-mobile-users/saml-authentic...

 

 

  • 31802 Views
  • 25 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!