I have the following question about Prisma Access Portal authentication, I would like to gradually move my users to use SAML authentication instead of the currently configured profile.
Can I accomplish this by using a group in the Allow List of the authentication profile. So only when you are in the group peform SAML.
How will it be known if the user is in the group before the SAML authentication?
The only way I see is after the users have logged into their Globalprotect agents is to have another authentication based on auth policy https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/authentication-policy but really I think you need to better understand what is needed.
You may check for extra info how to sync user groups from the Azure AD if you don't want to sync from on-prem device or for the Cloud identity engine to connect to a on-prem AD server:
How to use Ldap with Azure Ad:
A new feature that you can use is SCIM and the cloud identity engine without the need for service connection to the on-prem AD or to sync from on-prem firewall/agent or to pay for the Microsoft Azure Ldap feature:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!