To test this feature, visit your live site.

Globalprotect Azure-AD SAML Integration - Policy Based Groups Azure-AD

Globalprotect Azure-AD SAMLIntegration - Policy Based Groups Azure-AD

Hello PanGurus! , how's it going? I hope it's going well.

For licensing issues Azure AD only has Azure-ad then at the enterprise app level I can only assign users, but I have my doubt operates well with groups, ie in the Assign part, I can assign Groups and not just users to authenticate without having problems with GP? at the level of the enterprise app with Azure-AD SAML Globalprotect PANW.

Is it feasible to make group based policies, ie:

GP source zone - destination DMZ01 Azure Source Group: IT01

I.e. Azure Group-AD IT01@contoso.com , another with SEC01@contos.com Infra@contoso.com.

This to avoid having to make policies, user, by user, to reach and filter the destinations.

That is, once the client connects, it recognizes that X user recognizes X group.

Is this feasible ? There is no AD-Onprem.

Thank you I remain attentive

Best regards

3 comments

Comments (3)

Reaper

2 दिन पहले

even if youre unable to use groups in SAML, the groups will still work in group mapping, nothing to worry about

MetgatzGR

2 दिन पहले

Replying to

Thanks Master, so long, great guro Reaper.

If on the side of assigning in the app enterprise APP OK that will operate to put groups and will be able to authenticate via GP Ok super.

Now my question is once the user is already authenticated, already connected to the PANW, all OK.

That or those users within those groups in the policies I can put the direct group? Without having LDAP Onprem. will be recognized to filter ACL security policies ?

I mean:

Usuarios_infra@contoso.com: User01 - User02

Infra_adm@contoso.com: ADMIN01 - ADMIN02

TICOpsec@contoso.com: Opsec01 - Opsec02

When applying the security policies, put the groups, they will be mapped correctly by the pa and it will work ? With GlobalProtect, SAML will correctly interpret the groups ? because I see that the enterprise app only see user attributes.

Thank you great master guro

As always, thank you for your time, collaboration and good vibes!.

Best regards

Reaper

7घंटा

Replying to

Saml doesn't need to interpret the groups.

Userid/authentication and group mapping are 2 separate processes that simply compare notes

Group mapping will collect groups and their members. On the side of group mapping, the userids are just strings of data.

Saml will only interface at the authentication level so the username and password are used to get OK/NOK from the idp. If OK, the user is connected and the username is added to userID as a string

The group mapping and userid then "compare notes" to see which userid strings groupid memberships.

And so security rules are applied:

For every userid string that matches a grouped string, the ip address of the userid string is added to the security rule

Forum: Forum