cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who Me Too'd this topic

Consuming user group in GlobalProtect SAML Authentication

L0 Member

A bit of background: We are an all-Google G Suite company. We do not have internal LDAP servers. Everyone auths to Google. We are using PA 3060s as our firewalls and VPN systems.

 

We are getting ready to turn on SAML authentication for GlobalProtect. We are using Google as our IdP.

 

I've gotten it working, but I want to make policy decisions based on the user group that we are returning in the SAML assertion.

 

In Google, I have a user attribute with a "role" specified for each user, and then we are passing this back to the firewalls via a attribute mapping in our SAML App definition in Google.

 

Within the SAML authentication profile in the firewalls, I have set the User Group attribute to "role", and when I connect to the portal through Burp Suite, I see a SAML "role" attribute being returned from Google and asserted to the firewalls.

 

However, I have not found a way to use this "role" attribute in client IP pool assignments or in making policy decisions. I have tried making a local group that matches the "role" value, but that does not work.

 

Has anyone done this, or have any insight on this?

 

Regards,

 

Mark

Who Me Too'd this topic