Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Primary username mismatch for GlobalProtect users authenticatin... - Knowledge Base - Palo Alto Networks

Primary username mismatch for GlobalProtect users authenticating with SAML

20233
Created On 02/16/21 02:51 AM - Last Modified 10/31/24 14:27 PM


Symptom


  • Client is trying to connect to the GlobalProtect Gateway, but it does not receive the correct agent configuration.

  • Sometimes client connects to config A or config B.
    The globalprotect client is not getting the expected configuration

  • Username sometimes shows as user\domain and sometimes as email.

email as username
  • When the logs show username as email address, it does not match the security policy.



Environment


  • Palo Alto Firewalls
  • Supported PAN-OS versions
  • GlobalProtect Gateway/Portal with SAML authentication
  • GlobalProtect Gateway with users or groups-based agent configurations


Cause


  • The username attribute from SAML is not in the expected format for the firewall.
  • The expected format is the primary username format set in the group-mapping configuration.
  • To see the primary username format, go to Device>User Identification>Group Mapping Settings>Add>User and Group Attributes

The primary username format is defined by the Group Mapping configuration.

Note: The SAML authentication does not get the username value overridden. For instance, if the username is required to be in domain\username format, it needs to be formatted from the SAML source.



Resolution


Customize the group-mapping primary username field attribute to match the SAML username format on the IdP.



Additional Information


User-ID Changes in PAN-OS 8.1

 



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCu2CAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language