09-27-2022 12:34 PM - edited 09-28-2022 06:56 AM
Our AD forest is yz.abc.com
We have GP working with LDAP but user has to enter creds as yz\user
For the SAML profile it only configured for test portal authentication separately, no agent configuration done yet.
When I access portal in browser i get this error although SAML profile allows all users
SAML SSO authentication failed for user \'user@abc.com\'. Reason: User is not in allowlist. auth profile \'SAML-VPN-TEST\', vsys \'vsys1\', server profile \'SAML-VPN-TEST\', IdP entityID \'https://sts.windows.net/........................
Some people had suggested NTP, but that is already configured and I swapped it with secondary NTP as well, but does not help. How can I resolve this.
Earlier user.UserPrincipalName claim sent by Azure was user@abc.com
After transformation extracted only username part. You may be able to notice by the length of it logs that now there is no @abc.com in the username and I verified with saml tracer as well, but still getting same error.
10-03-2022 08:07 AM
The issue is mentioned in this KB but we are still multi-vsys and authentication profile was shared. cloning the profile to vsys1 solved the issue.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgkCAC
10-03-2022 08:07 AM
The issue is mentioned in this KB but we are still multi-vsys and authentication profile was shared. cloning the profile to vsys1 solved the issue.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgkCAC
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
