Use SAML User Group Attribute in Allow List to authenticate a GP Portal user
Objective
What is User Group Attribute in SAML-type Authentication Profile and how it can be used in configuration?
A SAML-type Authentication Profile allows extraction of a group attribute from a SAML Response through a field User Group Attribute. Once extracted, the specified group attribute value is evaluated against the values in the Allow List of that profile. User is only allowed if the group attribute value matches with the configured value in Allow List.
NOTE: The User Group Attribute value can only be used to evaluate the Allow List of SAML-type authentication. The User Group Attribute value can not be used anywhere else in the firewall configuration including any type of Policies, GlobalProtect Portal Agent & Clientless VPN configs, Gateway Agent configs, or reports, etc.
PAN-OS Configuration Help (reference):
User Group Attribute (SAML only): Enter the SAML attribute that identifies the user group of an authenticating user in messages from the IdP (default is usergroup). If the IdP Server Profile contains metadata that specifies a user group attribute, the field automatically uses that attribute. The firewall uses the group information to match authenticating users against Allow List entries, not for policies or reports.
As an example in this article, we will configure a SAML-type authentication profile to authenticate a GP Portal Clientless VPN user based on User Group Attribute
Environment
PAN-OS
SAML Authentication
GP Portal Login
Procedure
Configuration & Explanation
1. We assume, PANW firewall is already configured with a User Identification > Group Mapping Settings where it's getting User-to-Group mappings along with user attributes and group attributes from an AD via LDAP.
As an example in this article, there is a user10 in domain pantac-222-70 which is part of the following groups and has the following user attributes:
> show user user-ids match-user "pantac-222-70\user10"
User Name Vsys Groups
------------------------------------------------------------------
pantac-222-70\user10 vsys1 cn=users,cn=builtin,dc=pantac-222-70,dc=local
cn=remote desktop users,cn=builtin,dc=pantac-222-70,dc=local
cn=non-admin users,cn=users,dc=pantac-222-70,dc=local
cn=vpn-users,dc=pantac-222-70,dc=local
cn=domain users,cn=users,dc=pantac-222-70,dc=local
> show user user-attributes user "pantac-222-70\user10"
Primary: pantac-222-70\user10 Email: user10@pantac-222-70.local
Alt User Names:
1) pantac-222-70\user10
2) user10@pantac-222-70.local
NOTES:
- The pantac-222-70\user10 user is part of 5 groups in AD and the firewall identifies the user with two user attributes: (1) sAMAccountName (pantac-222-70\user10) and (2) Email & userPrincipleName (user10@pantac-222-70.local)
- Therefore, if the user gets authenticated as pantac-222-70\user10 or user10@pantac-222-70.local, the firewall will able to identify it and find the 5 groups it is associated with this user
2. Now let's assume the same user10 is also synced in SAML Identity Provider (IdP) via AD so it has same AD groups and attributes. In addition, the user10 is also part of a SAML-specific group GP-Users (i.e. the GP-Users group is NOT known in AD)
3. We assume SAML IdP is properly configured to send a group attribute name groups with value of GP-Users in a SAML Response to the PANW firewall (how SAML IdP is configured is beyond the scope of this article)
4. PANW firewall is configured with a SAML Identity Provider Server Profile
5. PANW firewall is using the above SAML Identity Provider Server Profile in a SAML-type Authentication Profile that is configured to look for the Username Attribute: username & User Group Attribute: groups and extract its values for further use
In addition, the SAML-type Authentication Profile is configured with a Allow List to only allow users who are part of a SAML group GP-Users
6. The SAML-type Authentication Profile is being used by a GlobalProtect Portal
To reiterate, the SAML User Group Attribute and its value are not referred anywhere else in the firewall configuration including the GP Portal Agent Configs or Clientless VPN Configs, it's only used in SAML-type Authentication Profile for Allow List. If user or groups are needed to be configured on GP Portal Agent Configs or Clientless VPN Configs, they must come from User Group Mapping Settings via directory services.
SAML User Login, Authentication Result, and User to Group Mapping
A. During the SAML authentication process, the SAML IdP sends a SAML Response to the PANW firewall that contains:
- StatusCode: Success (i.e. SAML IdP successfully authenticated the user)
- Subject NameID: user10@pantac-222-70.local (i.e. authenticated user NameID)
- Group Attribute: groups with value GP-Users
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </saml2p:Status> <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">user10@pantac-222-70.local </saml2:NameID> ... </saml2:Subject <saml2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">GP-Users </saml2:AttributeValue> </saml2:Attribute>
B. PANW firewall gets the SAML Response and authd process processes it in the below order:
- Receives the SAML Assertion in the SAML Response
- Extract attribute name groups that has two values: GP-Users
- Though SAML Auth Profile is configured with attribute username but authd did not find username attribute in the SAML Response in this example (i.e. SAML IdP is not sending the username attribute)
- Subject NameID: user10@pantac-222-70.local is used as the username
- Allow List configured GP-Users matched with the extracted groups value GP-Users
- User successfully authenticated
2022-10-14 17:21:52.019 -0700 Received SAML Assertion from 'http://www.okta.com/-----------------' from client '10.x.x.x' 2022-10-14 17:21:52.020 -0700 debug: _extract_sso_attribute(pan_authd_saml_internal.c:543): Got attr name (usergroup) "groups" ; value "Everyone;GP-Users"; 2022-10-14 17:21:52.021 -0700 debug: _parse_sso_response(pan_authd_saml.c:1443): SAML SSO response from 'http://www.okta.com/-----------------' has no username attribute 2022-10-14 17:21:52.022 -0700 debug: _parse_sso_response(pan_authd_saml.c:1446): SAML SSO response from 'http://www.okta.com/-----------------': Use saml:Subject NameID "user10@pantac-222-70.local" as username 2022-10-14 17:21:52.046 -0700 SAML Assertion: signature is validated against IdP certificate (subject 'crt.Okta_IdP.shared') for user 'user10@pantac-222-70.local' 2022-10-14 17:21:52.047 -0700 debug: pan_auth_saml_resp_process(pan_auth_state_engine.c:5393): Check allow list status for user10@pantac-222-70.local (Okta_SAML_AuthProf/vsys1) 2022-10-14 17:21:52.047 -0700 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:569): This is a single vsys platform, group check for allow list is performed on "vsys1" 2022-10-14 17:21:52.048 -0700 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:638): user "user10@pantac-222-70.local" whose group "GP-Users" of groups: "GP-Users" is in allow list of auth prof "Okta_SAML_AuthProf" on vsys "vsys1" ... 2022-10-14 17:21:52.049 -0700 debug: _log_saml_respone(pan_auth_server.c:363): Sent PAN_AUTH_SUCCESS SAML response:(authd_id: 7132225947322817561) (return username 'user10@pantac-222-70.local') (auth profile 'Okta_SAML_AuthProf') (NameID 'user10@pantac-222-70.local') ...
Side Note: Regarding user-to-group mapping, as the user has been successfully authenticated as user10@pantac-222-70.local, the firewall will try to find matching user attributes fetched from the User Group Mapping Settings via AD (discussed in point 1 earlier). Because it's matching one of the pantac-222-70\user10 user attributes, it will be considered a member of AD-mapped 5 groups. These AD 5 groups should be used on Policies, GP Portal Agent Configs, GP Portal Clientless VPN Configs etc