GlobalProtect Portal or Gateway Agent Config match fails when email username is applied as Primary Username

• GlobalProtect Portal/Gateway is configured to use SAML authentication.
• Agent Config selection criteria match fails when using user@domain.local with error “Failed to get client configuration” for GlobalProtect Portal and with error "Matching client config not found" for GlobalProtect Gateway
• No issue is observed when using domain\username under the GlobalProtect Portal/Gateway Agent Config selection criteria 

• Palo Alto Firewalls
• Supported PAN-OS versions
• GlobalProtect (GP) Portal/Gateway
• SAML Authentication

• Username from SAML response is received in the 'userPrincipalName' (UPN) or email format for the username attribute.
• There is no option in SAML authentication profile to specify the domain, unlike other authentication server types.

> less mp-log authd.log
....
Received SAML Assertion from 'https://sts.windows.net/39e022d6-1e02-4f1f-83c2-1b5952c985ed/' from client 'x.x.x.x'
debug: _extract_sso_attribute(pan_authd_saml_internal.c:542): Got attr name (username) "username" ; value "user@domain.local";
INFO OpenSAML.Utility.SAMLSign : successful signature verification

• As part of the normalization, the username becomes domain.local\user from user@domain.local which we used in the GlobalProtect Portal/Gateway Agent Config selection criteria to match the user.
• Since domain.local\user does not match user@domain.local, GlobalProtect Portal/Gateway Agent Config selection criteria match fails

1. When configuring the Group-Mapping settings add the Active Directory group the user is part of to the GlobalProtect Portal/Gateway Agent Config selection criteria
2. This is configured under GUI: Device > User Identification > Group Mapping Settings > "group-mapping-setting-name" > User and Group Attribute.
3. For more details Refer How To match a Global Protect Portal Config Agent and Verify.
4. The UPN format that comes in the SAML response and the normalized format should be part of the multiple username formats retrieved based on attributes configured in the Group-Mapping settings. 
5. If the single user output has both UPN and normalized format then the GlobalProtect Portal/Gateway Agent Config selection criteria match will work.