Hi There, I arrived here to seek for answer to a problem that I could not find an answer to anywhere. In fact, I still didn't find it but having access to lab, and some thought got me the desired result. So what is it. If you have setup a Security Web Policy based on LDAP Groups, and you authenticate using Kerberos/LDAP AD , PAN will identify you as domain\user.name You have some influence over how domain\ will look, but overall PAN will identify the user and will know groups you are a memeber of. Now, you want to introduce AzureAD SAML authentication. You found the article and followed it to the letter: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE You were able to authenticate, and get connected so what's the problem? The problem is that your user name is no longer domain\user.name but now it is user.name@emailaddress.com , it is the account you have used to authenticate against Azure AD. The user no longer matches any groups and the desired access for this user or group of users no longer works. I found that the Attributes in the article do not contain group attribute. Under AzureAD Portal for Single-Sign on I've added the attribute then for Security Groups Its under "Add a Group Claim" Source Attribute: GroupID Customize the name of the group claim: Group All these is case sensitive(apparently) Once you have the extra attribute, export the XML and Import to Palo. Import it as Authentication Profile and add Group attribute you created: When I log in using SAML now, I have different view: The User: shows the email address I used to authenticate. The Primary User name is domain\user.name Firewall can "match" the SAML account I used to the local AD. Now, interesting part to some is the fact that I do not use Active Sync. My Local domain is entirely different to Azure AD. They are seperate. I do have email attribute populated in my AD as the account I use with Azure though. Hope this helps someone. Cheers Mariusz
... View more