Primary username mismatch for GlobalProtect users authenticating with SAML
20233
Created On 02/16/21 02:51 AM - Last Modified 10/31/24 14:27 PM
Symptom
-
Client is trying to connect to the GlobalProtect Gateway, but it does not receive the correct agent configuration.
-
Sometimes client connects to config A or config B.
-
Username sometimes shows as user\domain and sometimes as email.
-
When the logs show username as email address, it does not match the security policy.
Environment
- Palo Alto Firewalls
- Supported PAN-OS versions
- GlobalProtect Gateway/Portal with SAML authentication
- GlobalProtect Gateway with users or groups-based agent configurations
Cause
- The username attribute from SAML is not in the expected format for the firewall.
- The expected format is the primary username format set in the group-mapping configuration.
- To see the primary username format, go to Device>User Identification>Group Mapping Settings>Add>User and Group Attributes
Note: The SAML authentication does not get the username value overridden. For instance, if the username is required to be in domain\username format, it needs to be formatted from the SAML source.
Resolution
Customize the group-mapping primary username field attribute to match the SAML username format on the IdP.
Additional Information