06-01-2022 12:07 PM
Hi Team,
I have configured Azure AD SAML in GP portal in but unable to access the portal getting the error as
"Username from SAML SSO response is different from the input"
Please share your thought on this.
06-07-2022 06:07 AM
Azure SAML by default will return the username as the UPN of the username attribute in Azure. This can usually be solved by just having the primary username attribute set to userPrincipalName on your group mapping profile.
05-02-2024 11:48 AM
Does anyone have any additional insight into this error? Currently trying to move existing GP Gateway Client Settings from an "any" user selection to a specific group selection for differing GP options based on user. It worked in testing on one Gateway, but after rolling out it started randomly failing across all Gateways with this "Username from SAML SSO response is different from the input" error.
I was previously using userPrincipalName as the Username Attribute in my Authentication Profile for SSO, which worked but didn't really meet our userID needs. This is do to Azure using a UPN in the form "user.name@example.com" and our internal AD using the form "example.local\user.name", I created a custom claim "paloaltologin" using a transform in the Azure SAML config to give the correct format. I then call "paloaltologin" from the SAML as the Username Attribute in the PA.
It worked great in testing, but now fails after the GP client submits the correct username format "example.local\User.Name", but the PA seems to test against "User.Name" instead and I'm not sure where that is coming from.
| Portal/Gateway | Stage | Event | Status | Source User | Description/Error |
| GW-A | before-login | gateway-prelogin | success | SAML request sent | |
| GW-A | login | gateway-auth | success | example.local\User.Name | Auth latency: 3ms, profile: AzureSSO-custom |
| GW-A | login | gateway-auth | failure | User.Name | Username from SAML SSO response is different from the input |
| GW-B | before-login | gateway-prelogin | success | ||
| GW-B |
login |
gateway-auth | success | user.name@example.com | Auth latency: 3ms, profile: AzureSSO |
| GW-B | login | gateway-auth | success | user.name@example.com | |
| GW-B | login | gateway-register | success | user.name@example.com | |
| GW-B | configuration | gateway-getconfig | success | user.name@example.com | Config name: GW-B |
The only difference between AzureSSO and AzureSSO-custom Authentication Profiles is that the Username attribute has been changed from default claim "userprincipalname" to custom claim "paloaltologin".
There is PAN-221857 which produces the "Username from SAML SSO response..." error, but that shows as fixes in 10.2.8 and we are running 10.2.9-h1.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
