07-29-2025 06:36 PM
We would like to know the user information that corresponds to the GP sign-in account and tunnel settings and other matching conditions.
We are currently verifying SAML login and SSO in our verification environment.
In the GP application and tunnel settings, we have specified the user information obtained from the Entra ID as the matching condition, but we have not found the desired setting, and we are applying the application and tunnel settings that have “any” set as the matching condition in the subordinate settings.
SAML authentication using the CIE authentication profile has succeeded without any problems, and authentication using the SAML authentication profile has also succeeded without any problems.
In addition, we are currently specifying a user who is displayed in the “username@domain” format as a match condition (we are aware that this format is displayed by setting the primary user name to UPN on the SCM).
On the other hand, when the actual GP connection is made, the intended application settings and tunnel settings are not used, and other settings with any match condition are applied.
◆Reference documents for initial environment construction
・SCIM linking of CIE and Entra ID
Configuration of SCIM connector for Cloud Identity Engine
・SAML authentication using CIE
https://docs.paloaltonetworks.com/prisma-access/integration/microsoft-integrations-with-prisma-acces...
Prisma Access configuration
・Both Group Mapping and SAML authentication are configured via Cloud Identity Engine (CIE) with SCIM connector.
The matching condition for tunnel and application settings is the user obtained from Entra ID, and the relevant settings have been moved to the top of the list.
There is no problem with the GP connection.
For NGFW and Prisma Access>ID Service>CIE>User Attributes, the user principal name (UPN) is selected as the primary name. Alternative user names and mail fields are set to None.
In the CIE, the linked users are visible, and the Sync Status is Success.
We have configured the system based on the document, but because the assumed GP application settings and tunnel settings are not being used, we have changed the Entra ID settings as follows.
Entra ID settings
The following settings have been changed to UPN in the Palo Alto Networks SCIM Connector and Palo Alto Networks Cloud Identity Engine of the enterprise application.
Home>Default Directory>Enterprise Applications>Palo Alto Networks SCIM Connector>Provisioning>Mapping>Provision Microsoft Entra ID Users
-> PaloAltoNetworks attribute Microsoft Entra ID attributes corresponding to userName and displayName are both changed to UPN.
Home>Default Directory>Enterprise Applications>Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service>Single Sign-On>Attributes and Claims>Change
unique username value to UPN.
◆Questions:
We believe that there is no applicable section in the SCM configuration except NGFW and Prisma Access>ID Service>CIE>User Attributes, and we assume that the Entra ID side may be returning user information other than UPNs.
Therefore, we would like to know two points.
Question 1: Are there any settings required by Entra ID for SCIM linkage other than the settings listed in the
configuration details?
Question 2) We do not think there are any settings other than NGFW and Prisma Access>ID Service>CIE>User Attributes in
SCM, is this correct?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
