We did this with Azure AD as well. Out basic setup is as follows: Configure the LDAP Server profile for the on-premise AD infrastructure (Base DN is in the following format "DC=domain,DC=local" ) Configure SAML IdP to work with Azure AD Configure Group-Mapping using the LDAP profile. On the "User and Group Attributes" tab, we swapped "Primary Username" to be "userPrincipleName" and "Alternate Username 1" to be "sAMAccountName" This way the SAML username attribute matches the LDAP username attribute On the GlobalProtect side, we specified the group in the configs in the following format: "CN=User Group Name,OU=org unit,DC=domain,DC=local" When we tried it in the "domain\group name" format, we had no success, but we found a post on reddit that suggested trying either format to see what works in your environment. Apparently the format is dependent on how your AD infrastructure is setup.
... View more