GlobalProtect configuration selection based on usernames only

• GlobalProtect Portal/Gateway is configured with SAML authentication.
• userPrincipalName (UPN) or email username format is configured for Portal/Gateway authentication.
• Configuration selection criteria does not match if specific users are configured in the UPN format. 

• Palo Alto Firewalls
• Supported PAN-OS
• Prisma Access
• GlobalProtect Portal/Gateway
• Authentication method using UPN format

• Starting PAN-OS 8.1 onwards, multiple username formats are supported.
• Different user attributes can be configured as the primary and secondary formats in the group mapping configuration.
• When group mapping is not configured on the firewall, it cannot map user attributes and will default to sAMAccountName username format.
• Even when UPN format is used in the authentication method, in configuration selection logic, sAMAccountName format lookup is done after UPN format normalization.

• Authentication method username format and "User" in the configuration selection criteria are configured in the UPN format.
• GUI: Network > GlobalProtect > Portals > (GP portal name) > Agent

• Here the config selection does not work as the sAMAccountName format does not match the UPN format (less mp-log appweb3-sslvpn.log).

> less mp-log appweb3-sslvpn.log
......
debug: pan_gp_lookup_by_sock(pan_gp_cfg.c:1649): getting client config...
debug: pan_gp_cfg_get_clientconfig(pan_gp_cfg.c:1260): user(sudhir@su-lab.local) clientos(Windows) is_gp(yes) domain() csc_support(yes)
debug: pan_usr_cfg_find_configs(pan_usr_cfg.c:1137): found user attr su-lab.local\sudhir
debug: pan_usr_cfg_hash_find(pan_usr_cfg.c:490): no config found for su-lab.local\sudhir
debug: pan_usr_cfg_find_configs(pan_usr_cfg.c:1149): found user group useridd-groupsready
debug: pan_usr_cfg_hash_find(pan_usr_cfg.c:490): no config found for useridd-groupsready
debug: pan_usr_cfg_hash_find(pan_usr_cfg.c:488): config found for any
debug: pan_usr_cfg_find_configs(pan_usr_cfg.c:1251): final config idx vector:
debug: pan_usr_cfg_print_config_idx(pan_usr_cfg.c:894): config_idx is 1
debug: pan_gp_cfg_get_clientconfig(pan_gp_cfg.c:1330): find user config DEFAULT 
debug: pan_gp_lookup_by_sock(pan_gp_cfg.c:1670): found client config!

• Authentication method is configured in UPN format whereas "User" in the configuration selection criteria is configured in the sAMAccountName format.

• Here the config selection works fine  as the sAMAccountName matches the UPN normalized format (less mp-log appweb3-sslvpn.log).

> less mp-log appweb3-sslvpn.log
......
debug: pan_gp_lookup_by_sock(pan_gp_cfg.c:1649): getting client config...
debug: pan_gp_cfg_get_clientconfig(pan_gp_cfg.c:1260): user(sudhir@su-lab.local) clientos(Windows) is_gp(yes) domain() csc_support(yes)
debug: pan_usr_cfg_find_configs(pan_usr_cfg.c:1137): found user attr su-lab.local\sudhir 
debug: pan_usr_cfg_hash_find(pan_usr_cfg.c:488): config found for su-lab.local\sudhir 
debug: pan_gp_cfg_get_clientconfig(pan_gp_cfg.c:1330): find user config User-Specific-Config 
debug: pan_gp_cfg_get_clientconfig(pan_gp_cfg.c:1335): setting device managed status in the config : 2
debug: pan_gp_cfg_get_clientconfig(pan_gp_cfg.c:1346): useridd user groups loaded complete
debug: pan_gp_lookup_by_sock(pan_gp_cfg.c:1670): found client config!

• GlobalProtect configuration match logs for scenario 1 and 2 (GUI: Monitor > Logs > GlobalProtect).

1. Configure sAMAccountName username format in the GlobalProtect Portal/Gateway configuration selection criteria when group mapping configuration is not present.
2. This is done under GUI: Network > GlobalProtect > Portals > (GP portal name) > Agent.