Hi Everyone We are currently using GP with LDAP as an authentication method. This works like charm. Now, we want to start using the AZURE MFA option that we have configured on our ADFS servers. I’ve managed to setup the SAML between the ADFS servers (2016) and the palo alto but I can’t seem to get the VPN working. I’ve followed this guide to setup the SAML authentication. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure-saml-authentication.html Unfortunately, after following this guide, it didn’t work. I didn’t get any assertation values. I then removed the certificate from the ADFS server in the relaying party trust. Now I’m seeing the incoming claims but still no luck. Then I found this article: https://www.reddit.com/r/paloaltonetworks/comments/8gsp9b/saml_sso_with_microsoft_adfs/ and this: https://live.paloaltonetworks.com/t5/general-topics/adfs-saml-configuration/td-p/144886/page/2 I added the 5 claims and set my user attributes. Hooray I’m able to login to the portal now. However, if I try to login with the global protect client, I get the question to login to my ADFS but then the client hangs on connecting. If I check the authd log, I see that it uses a username consisting of letters and numbers. Next step. I removed the all the claims and I’m now sending samaccountname as a claim and I changed the username attribute also to samaccountname on the palo alto. I see the username name now in the authd log, but login does not work. The reason was that on the gateway, I configured to only allow only certain groups to be able to login to the gateway. If I set those users to any, the logon works! The bad news is, now I’m unable to login to the portal. I guess I’m having a problem setting the correct claims but I’m not sure to what exactely. Anyone that has a similar setup that wants to share their configuration please? 😊 Thanks
... View more