Hi,
I am trying to configure globalprotect to use SAML authentication for the portal and gateway. The authentication seems to work but when, but i am not getting a valid client config when i use groups in allow list.
I am sure it is related to group mapping and user id but don't know where exactly it is going wrong.
I have the following configuration on Azure:
When authenticating i am seeing the following in the logs on the gateway.
First it tries with username.firstname this fails then it tries with the formated version and the authentication works.
My authentication profile is configured as follows, it also has an allow list that is allowing only certain group.
This seems to be working besides the fact that it tries with 2 different formats. Then the user tries to fetch the config with the same group limitation as the authentication profile this seems to fail. When i remove the group it works and the client can get it's config.
I have double checked the format off the groupname and both are the same.
My groupmapping is configured as follows.
Do i need to add alternate username 1: userpincipalname?
The problem is located somewhere over here. I just don't understand why i works for the authentication and not for the getclient config.
Any help on this would be appreciated or some clarification on the claims vs auth/group mapping.
I ended up contacting Palo support and I for ones got a good engineer on the line.
We figured out the issue was with the certificate profile, without client certificate it worked. Normally the domain is taken from the Certificate. For the group mapping you have to specify the NEBTIOS domain name.
This solved the group mapping issue.
I ended up contacting Palo support and I for ones got a good engineer on the line.
We figured out the issue was with the certificate profile, without client certificate it worked. Normally the domain is taken from the Certificate. For the group mapping you have to specify the NEBTIOS domain name.
This solved the group mapping issue.
