Globalprotect - VPN Agent Config Selection issue via User ID

Hey Everyone,

Quick background, we’re a windows AD shop, using PA-440’s with PANOS 10.1.8, Globalprotect at v6.1.1 and using a SAML provider for our GP VPN authentication. There are two PA440’s with HA in an active/passive configuration.

I’ve got our SAML authentication working with Globalprotect, and now we’re trying to implement unique configs based on user groups (Split Tunnel differences for different business units, primarily)

I set up User ID and our SAML Authentication Profile works as expected, IE if you’re not a member of one of the two VPN groups (Domain\IT and Domain\ENG), you can’t authenticate. I’ve tested this and indeed, SAML authentication fails if you’re not in one of those two groups.

But when I drill down into the gateway to do the custom VPN Agent configs, I go to the Source User section and try to add the same group I use during the SAML authentication profile. GP logs show failures with a “matching client config not found”. GPS local logs also just seem to have the same generic error, even in dump level logs.

In the source user portion of the agent configs, I’ve tried assigning users directly, confirming the naming mechanism matches how the user is presented over SAML (user, domain\user and [email protected]), as well as group naming conventions (Shortnames like domain\group as well as full AD Distinguished name). This all to no avail.

First of all, Does anyone have this setup working? (SAML config plus unique vpn configs) and if so did you encounter any issues like this?

I do have a support ticket open, awaiting escalation since the first person I worked with insisted we make changes to certificate settings used in the SAML Idp server profile and the SAML Authentication profile. This, surprisingly (/s), did not fix the issue and instead broke the VPN on this firewall

Edit: So after some trial and error, we came to a solution that works for our environment. We made a custom assertion in our SAML provider that creates the domain\username property, and have chosen that in the Authentication Profile - Username Attribute setting. Thanks for the insight from everyone on ways they had it working, and hopefully this post might help someone else having issues with SAML/User ID

In order to reference those you need to set them up under Device>User Identification

Setup a Group-Mapping profile and in the profile make sure you add the groups you want to use in the Group Include list. I’ve had issues with references not working unless added here.

I have this configuration working with OKTA as the SAML authentication source on PA440s in active/passive configuration running 10.2.3-h2 and GP clients 6.1.1.

I am matching on AD group membership with local LDAP servers.

I have it working, but I converted my SAML username to domain\username format to stay consistent with how the on-prem DC’s were referencing them.

It sort of sounds like this might be your issue, i wrote this a while ago…maybe itll help.

Edit, ohh i see you’re using OKTA…perhaps there’s something similar. No idea!

I set up User ID and our SAML Authentication Profile works as expected, IE if you’re not a member of one of the two VPN groups (Domain\IT and Domain\ENG), you can’t authenticate. I’ve tested this and indeed, SAML authentication fails if you’re not in one of those two groups.

Already did this portion. I’ve got the SAML Authentication Profile successfully restricted to the domain\ENG and domain\IT groups

edit: Consistent group names

Did you have to do anything special in the OKTA side? Hand back any custom assertions?

I had to make sure that usernames were returned as UPN: user at domain dot com

When you type this cli, including the question mark, are you AD groups listed as choices?

show user group name ?

Already done the

show user group name

show user group list "name"

and show user user-attribute user [email protected]

and everything lines up how I would expect.

The palo support person I worked with today is just as stumped, and researching to see what’s going on.

So you are returning the username from the IdP in upn format (as in with the AD domain and not a separate mail domain)?

Do you have a domain map for this domain? It will be needed.