This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

AD Group Mapping - Azure SAML Auth

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

AD Group Mapping - Azure SAML Auth

bmeche
L0 Member

‎06-21-2021 04:02 PM

Any documentation on how to setup AD Group Mapping when using Azure AD SAML instead of LDAP as the authentication source. I did configure the LDAP servers and am using the long-name in the group policies but the policies aren't mapping the user to the AD group as I'd expect. 

8 people had this problem.
0 Likes Likes
6 REPLIES 6

DavidMaas1
L1 Bithead

‎06-29-2021 02:37 PM

I be interested as well.

0 Likes Likes

NikolayDimitrov
L3 Networker

‎08-05-2021 04:29 AM

You can see the article from Okta and use it for Azure AD, you just need to find the Azure AD documentation how to set the atributes:

 

 

https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Palo-Alto-Networks-GlobalProtect.h...

0 Likes Likes

PiankaMariusz
L1 Bithead

‎06-14-2022 06:18 AM - edited ‎06-14-2022 06:19 AM

Hi There,

I arrived here to seek for answer to a problem that I could not find an answer to anywhere.

In fact, I still didn't find it but having access to lab, and some thought got me the desired result.

 

So what is it.

If you have setup a Security Web Policy based on LDAP Groups, and you authenticate using Kerberos/LDAP AD , PAN will identify you as domain\user.name

You have some influence over how domain\ will look, but overall PAN will identify the user and will know groups you are a memeber of.

Now, you want to introduce AzureAD SAML authentication.

You found the article and followed it to the letter: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE

You were able to authenticate, and get connected so what's the problem?

 

The problem is that your user name is no longer domain\user.name but now it is user.name@emailaddress.com , it is the account you have used to authenticate against Azure AD.

The user no longer matches any groups and the desired access for this user or group of users no longer works.

 

I found that the Attributes in the article  do not contain group attribute.

 

PiankaMariusz_0-1655212078224.png

 

Under AzureAD Portal for Single-Sign on I've added the attribute then for Security Groups

PiankaMariusz_1-1655212200554.png

 

Its under "Add a Group Claim"

Source Attribute: GroupID
Customize the name of the group claim: Group

 

All these is case sensitive(apparently)

 

Once you have the extra attribute, export the XML and Import to Palo.

Import it as Authentication Profile and add Group attribute you created:

PiankaMariusz_2-1655212422246.png

 

When I log in using SAML now, I have different view:

The User: shows the email address I used to authenticate.

The Primary User name is domain\user.name

 

Firewall can "match" the SAML account I used to the local AD.

 

Now, interesting part to some is the fact that I do not use Active Sync. My Local domain is entirely different to Azure AD. They are seperate.


I do have email attribute populated in my AD as the account I use with Azure though.

Hope this helps someone.

 

Cheers

Mariusz

 

 

 

 

 

 

 

 

 

 

 

 

Carleton
L3 Networker

‎08-15-2022 08:30 AM

You do not need to add a group attribute, and it will not work for login control using groups. If you change the username attribute to match the settings below and have LDAP configured for userID Groups will work even for Prelogin. users will still login as before only the username submitted will be using local domain username format 🙂

2022-08-15_10-24-42.jpg

0 Likes Likes

Carleton
L3 Networker
In response to Carleton

‎08-15-2022 10:52 AM

It does not affect prelogin as no user credentials have b been processed yet. A typo on my part

 

0 Likes Likes

SanilHande
L1 Bithead
In response to PiankaMariusz

‎11-14-2022 03:37 AM

Hi , Have you tried this in LAB and or in your environment, is it working and are you able user AD groups also on PA   

0 Likes Likes
  • 12565 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks