How to retrieve group mapping based on SAM or UPN format
11439
Created On 05/23/22 07:29 AM - Last Modified 06/28/23 03:53 AM
Objective
- In the diagram below, LDAP server is configured with two groups.
- All users under both groups have their respective sAMAccountName (SAM), and userPrincipalName (UPN) attributes configured.
- The article provides configuration of the firewall to retrieve group Network Admin's SAM attribute and the group Finance's UPN attribute.
Environment
- Palo Alto Firewalls
- PAN-OS 9.1.x and above
- User-ID configured
- LDAP configured.
Procedure
Configuration to retrieve SAM group mapping format
1.GUI: Device > User Identification > Add
Tab: Server Profile
Name: SAMgroupmapping
Server Profile: Choose the appropriate LDAP server profile
Group Object > Object Class: group
User Object > Object Class: user
Enabled: check
Name: SAMgroupmapping
Server Profile: Choose the appropriate LDAP server profile
Group Object > Object Class: group
User Object > Object Class: user
Enabled: check
- Tab: User and Group Attributes
User Attributes > Name > Primary Username: sAMAccountName
User Attributes > Name > E-Mail: mail
User Attributes > Name > Alternate Username 1: userPrincipalName
User Attributes > Name > E-Mail: mail
User Attributes > Name > Alternate Username 1: userPrincipalName
- Tab: Group Include List
From Available Group move mylab\networkadmin to Include Groups
- Click OK to submit
Configuration to retrieve UPN group mapping format
- GUI: Device > User Identification > Add
Tab: Server Profile
Name: UPNgroupmapping
Server Profile: Choose the appropriate LDAP server profile
Group Object > Object Class: group
User Object > Object Class: user
Enabled: check
Name: UPNgroupmapping
Server Profile: Choose the appropriate LDAP server profile
Group Object > Object Class: group
User Object > Object Class: user
Enabled: check
- Tab: User and Group Attributes
User Attributes > Name > Primary Username: userPrincipalName
User Attributes > Name > E-Mail: mail
User Attributes > Name > Alternate Username 1: sAMAccountName
User Attributes > Name > E-Mail: mail
User Attributes > Name > Alternate Username 1: sAMAccountName
- Tab: Group Include List
From Available Group move mylab\finance to Include Groups column
- Click OK to submit
- Commit to save
Result for SAM group mapping:
Result for UPN group mapping:
Additional Information
-
SAM (sAMAccountName) in some cases can be associated with the domain format, where the format is "domain\username" or "domain\user" in Windows environments. It represents the username or unique identifier for a user within a specific domain.
-
UPN (userPrincipalName) is typically associated with the email format, where the format is "user@domain.com" or "user@domain" in Windows environments. It combines the username with a domain suffix, similar to an email address, and is used for user identification and authentication.
Understand the UPN and sAMAccountName User Account Attributes