This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About ASinfrastructure
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About ASinfrastructure
07-23-2021
4Posts
2Likes
0Solutions
Jul 23, 2021Last Visited
User
Activity
User
Profile
Latest posts by ASinfrastructure
| Subject | Views | Posted |
|---|---|---|
| 5829 | 07-02-2020 04:21 AM | |
| 6082 | 06-24-2020 12:33 AM | |
| 6198 | 06-18-2020 01:51 AM | |
| 6303 | 06-17-2020 07:18 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 2 Likes | 07-02-2020 04:21 AM |
User Badges
Community Statistics
| Member Since | 07-11-2018 12:42 AM |
| Date Last Visited | 07-23-2021 04:56 AM |
| Posts | 4 |
| Total Likes Received | 2 |
07-02-2020
04:21 AM
2 Kudos
Hi all this is how we got it to work: Thank you Sakhan for the help! good luck Roel
... View more
06-24-2020
12:33 AM
Hi just wanted to update that I'm doing some more testing, so for it's either portal or gateway that's working, not both 🙂 I'll post the solution when I've found it kind regards
... View more
06-18-2020
01:51 AM
Hi thank you for the reply! I setup the settings again as in the reddit post above. if I do: > debug user-id dump domain-map I get: wich is indeed our AD domain my.domain.com : my vsys1 dc=my,dc=domain,dc=com if I do: > show user user-attributes user all Primary: global\test1 Alt User Names: 1) domainname2.com\test1 2) test1@domainname2.com --> this is the user that I logged in with on the gp portal (with success) if I check another user (one that I'm not testing with): Primary: my\user2 Alt User Names: 1) my\user2 2) yuri.lupinov@domainname2.com the thing is, we have the my.domain.com as our AD domain but next to that, we have other domains the we use in our UPN so user will logon with username@domainname2.com or username@domainname3.com depending on where they work. so portal logon works. if i want to connect with the gp client, it just hangs on connecting authd last message is: find domain for auth profile: SAML; vsys vsys1 I also see: Sent PAN_AUTH_SUCCESS SAML response:(authd_id: 6792859029119963731) (return username 'dh9FF4rL/1jWq/Pg+UoU6kqL10m3qVX8Qd5lEuZHq2w=') (auth profile 'SAML') (NameID 'dh9FF4rL/1jWq/Pg+UoU6kqL10m3qVX8Qd5lEuZHq2w=') (SessionIndex '_ca94283d-5144-49de-8602-31eccb617157') (Single Logout enabled? 'Yes') so it's not sending me any domain\user info I guess the next step would be to have the adfs send domain\user info? any idea's on how to setup the claims then in ADFS? I've tried testing with samaccountame, but it then send me test1,my\test1 so both versions while I was sending only 1 claim. kind regards
... View more
06-17-2020
07:18 AM
Hi Everyone We are currently using GP with LDAP as an authentication method. This works like charm. Now, we want to start using the AZURE MFA option that we have configured on our ADFS servers. I’ve managed to setup the SAML between the ADFS servers (2016) and the palo alto but I can’t seem to get the VPN working. I’ve followed this guide to setup the SAML authentication. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure-saml-authentication.html Unfortunately, after following this guide, it didn’t work. I didn’t get any assertation values. I then removed the certificate from the ADFS server in the relaying party trust. Now I’m seeing the incoming claims but still no luck. Then I found this article: https://www.reddit.com/r/paloaltonetworks/comments/8gsp9b/saml_sso_with_microsoft_adfs/ and this: https://live.paloaltonetworks.com/t5/general-topics/adfs-saml-configuration/td-p/144886/page/2 I added the 5 claims and set my user attributes. Hooray I’m able to login to the portal now. However, if I try to login with the global protect client, I get the question to login to my ADFS but then the client hangs on connecting. If I check the authd log, I see that it uses a username consisting of letters and numbers. Next step. I removed the all the claims and I’m now sending samaccountname as a claim and I changed the username attribute also to samaccountname on the palo alto. I see the username name now in the authd log, but login does not work. The reason was that on the gateway, I configured to only allow only certain groups to be able to login to the gateway. If I set those users to any, the logon works! The bad news is, now I’m unable to login to the portal. I guess I’m having a problem setting the correct claims but I’m not sure to what exactely. Anyone that has a similar setup that wants to share their configuration please? 😊 Thanks
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-23-2021
04:56 AM
|
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks