Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to retrieve group mapping based on SAM or UPN format - Knowledge Base - Palo Alto Networks

How to retrieve group mapping based on SAM or UPN format

22611
Created On 05/23/22 07:29 AM - Last Modified 06/28/23 03:53 AM


Objective


  • In the diagram below, LDAP server is  configured with two groups.
  • All users under both groups have their respective sAMAccountName (SAM), and userPrincipalName (UPN) attributes configured.
  • The article provides configuration of the firewall to retrieve group Network Admin's SAM attribute and the group Finance's UPN attribute.

LDAP.png
 
 

Environment


  • Palo Alto Firewalls
  • PAN-OS 9.1.x and above
  • User-ID configured
  • LDAP configured.

Procedure


 

Configuration to retrieve SAM group mapping format


    1.GUI: Device > User Identification > Add 
Tab: Server Profile
Name: SAMgroupmapping
Server Profile: Choose the appropriate LDAP server profile
Group Object > Object Class: group
User Object > Object Class: user
Enabled: check
 
SAM1.png
  1. Tab: User and Group Attributes
User Attributes > Name > Primary Username: sAMAccountName
User Attributes > Name > E-Mail: mail
User Attributes > Name > Alternate Username 1: userPrincipalName
SAM2.png
  1. Tab: Group Include List
From Available Group move mylab\networkadmin to Include Groups
SAM3.png
  1. Click OK to submit

 

Configuration to retrieve UPN group mapping format

  1.     GUI: Device > User Identification > Add
Tab: Server Profile
Name: UPNgroupmapping
Server Profile: Choose the appropriate LDAP server profile
Group Object > Object Class: group
User Object > Object Class: user
Enabled: check
UPN1.png
  1. Tab: User and Group Attributes
User Attributes > Name > Primary Username:  userPrincipalName
User Attributes > Name > E-Mail: mail
User Attributes > Name > Alternate Username 1:  sAMAccountName
UPN2.png
  1. Tab: Group Include List
From Available Group move mylab\finance to Include Groups column
UPN3.png
  1.  Click OK to submit
  2. Commit to save
 

Result for SAM group mapping:

SAMresults.png

Result for UPN group mapping:

UPNresults.png

 

Additional Information


 

  • SAM (sAMAccountName) in some cases can be associated with the domain format, where the format is "domain\username" or "domain\user" in Windows environments. It represents the username or unique identifier for a user within a specific domain.

  • UPN (userPrincipalName) is typically associated with the email format, where the format is "user@domain.com" or "user@domain" in Windows environments. It combines the username with a domain suffix, similar to an email address, and is used for user identification and authentication.


Understand the UPN and sAMAccountName User Account Attributes
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 238,837
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CpgcCAC&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language