SAML response shows the assertions that include cloudgenix_groups and memberOf attributes for MSP tenants

SAML response shows the assertions that include cloudgenix_groups and memberOf attributes for MSP tenants

800
Created On 06/01/22 10:09 AM - Last Modified 05/22/24 20:17 PM


Symptom


  • AttributeValue to “cloudgenix_esp_super” instead of cloudgenix_tenant_super for MSP tenants SAML request

Environment


  • Prisma SD-WAN

Cause


  • We received errors such as “Single Sign-On is denied because the operator does not belong to any relevant roles” because we used the same attribute value as the child tenant.

Resolution


  • For correct attribute value for MSP is “cloudgenix_esp_super”

Sample SAML Response with cloudgenix_groups:

</Attribute><Attribute Name="cloudgenix_groups"><AttributeValue>cloudgenix_esp_network_admin</AttributeValue><AttributeValue>cloudgenix_esp_viewonly</AttributeValue></Attribute>

Sample SAML Response with memberOf:

<Attribute Name="memberOf" NameFormatt="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:-type="xs:anyType">cloudgenix_esp_super</AttributeValue></Attribute>

Additional Information


  • Below  is the full list of all esp groups:
  1. cloudgenix_esp_iam_admin                                                        
  2. cloudgenix_esp_machine_admin                                                    
  3. cloudgenix_esp_admin                                                            
  4. cloudgenix_esp_user                                                             
  5. cloudgenix_esp_super
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sYgYCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail