Global Protect SAML: authentication works fails on matching client config not found. Group not matching.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect SAML: authentication works fails on matching client config not found. Group not matching.

L3 Networker

Hi,

I am trying to configure globalprotect to use SAML authentication for the portal and gateway.  The authentication seems to work but when, but i am not getting a valid client config when i use groups in allow list. 

I am sure it is related to group mapping and user id but don't know where exactly it is going wrong.

 

I have the following configuration on Azure: 

zGomez_0-1694012059685.png

zGomez_1-1694012177202.png

When authenticating i am seeing the following in the logs on the gateway.

zGomez_2-1694012661065.png

 

First it tries with username.firstname this fails then it tries with the formated version and the authentication works.

My authentication profile is configured as follows, it also has an allow list that is allowing only certain group.

zGomez_3-1694012917716.png

This seems to be working besides the fact that it tries with 2 different formats.  Then the user tries to fetch the config with the same group limitation as the authentication profile this seems to fail.  When i remove the group it works and the client can get it's config.

I have double checked the format off the groupname and both are the same.

My groupmapping is configured as follows.

 

zGomez_5-1694013360208.png

Do i need to add alternate username 1:  userpincipalname?

The problem is located somewhere over here.  I just don't understand why i works for the authentication and not for the getclient config.

Any help on this would be appreciated or some clarification on the claims vs auth/group mapping.

 

 

 

 

 

 

 

1 accepted solution

Accepted Solutions

L3 Networker

I ended up contacting Palo support and I for ones got a good engineer on the line.  

We figured out the issue was with the certificate profile, without client certificate it worked.  Normally the domain is taken from the Certificate.  For the group mapping you have to specify the NEBTIOS domain name.

 

 

zGomez_1-1694786828801.png

 

This solved the group mapping issue.

 

 

View solution in original post

1 REPLY 1

L3 Networker

I ended up contacting Palo support and I for ones got a good engineer on the line.  

We figured out the issue was with the certificate profile, without client certificate it worked.  Normally the domain is taken from the Certificate.  For the group mapping you have to specify the NEBTIOS domain name.

 

 

zGomez_1-1694786828801.png

 

This solved the group mapping issue.

 

 

  • 1 accepted solution
  • 1050 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!