Unable to add groups in the Include list from the GUI with OKTA LDAP

Unable to add groups in the Include list from the GUI with OKTA LDAP

12733
Created On 02/26/19 20:33 PM - Last Modified 11/13/20 18:19 PM


Symptom


Unable to add groups in the include list from the Firewall GUI with the OKTA LDAP configured. 

Environment


  • PAN-OS version 8.0 or higher.
  • Palo Alto Firewall.
  • LDAP integration using OKTA for group-mapping settings.

Cause


Firewall GUI does not support adding group filters for group mapping include list when OKTA is used for LDAP. This is because the Queries are too complex for Okta interface

Resolution



Configuring the group mapping include list via CLI resolves the issue.
Example below:
  1. From CLI, enter configuration mode:  
    > configure 
Entering configuration mode 
[edit] 
admin@Lab197-110-PA-VM#

     
  2. Configure include list via set command:  
    # set group-mapping "Okta LDAP Silksec-s1" group-object groupofuniquenames 
# set group-mapping "Okta LDAP Silksec-s1" group-member uniquemember 
# set group-mapping "Okta LDAP Silksec-s1" user-object inetorgperson 
# set group-mapping "Okta LDAP Silksec-s1" user-name uid 
# set group-mapping "Okta LDAP Silksec-s1" server-profile "Okta LDAP Silksec-s1" 
# set group-mapping "Okta LDAP Silksec-s1" group-name cn 
# set group-mapping "Okta LDAP Silksec-s1" email mail 
# set group-mapping "Okta LDAP Silksec-s1" disabled no 
# set group-mapping "Okta LDAP Silksec-s1" group-include-list [ cn=everyone,ou=groups,dc=silliker- s1,dc=oktapreview,dc=com "cn=test group,ou=groups,dc=silliker-s1,dc=oktapreview,dc=com" ]

    3. Commit changes and exit configuration mode
                In above example "Okta LDAP Silksec-s1" is the name of the group mapping name, configured in the GUI. 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boCHCAY&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language