A bit of background: We are an all-Google G Suite company. We do not have internal LDAP servers. Everyone auths to Google. We are using PA 3060s as our firewalls and VPN systems.
We are getting ready to turn on SAML authentication for GlobalProtect. We are using Google as our IdP.
I've gotten it working, but I want to make policy decisions based on the user group that we are returning in the SAML assertion.
In Google, I have a user attribute with a "role" specified for each user, and then we are passing this back to the firewalls via a attribute mapping in our SAML App definition in Google.
Within the SAML authentication profile in the firewalls, I have set the User Group attribute to "role", and when I connect to the portal through Burp Suite, I see a SAML "role" attribute being returned from Google and asserted to the firewalls.
However, I have not found a way to use this "role" attribute in client IP pool assignments or in making policy decisions. I have tried making a local group that matches the "role" value, but that does not work.
Has anyone done this, or have any insight on this?