ziw0w (ziw0w) asked a question.
Hello All
I am trying to provision the Palo Alto GlobalProtect VPN solution with an authentication profile using Okta SSO. I have SSO functional and I can successfully delineate client IP pools through Okta SAML 2.0 based on Okta userid. I cannot do so based on LDAP or Okta group memberships. The end goal is to set up AD groups based on roles to assign a client pool address that provides role based access to various segments of the network. Example: my account is in the student access group my VPN client IP is from the student pool, my assigned VPN address is only allowed access to student appropriate subnets. Has anyone successful passed a group membership attribute to a GlobalProtect client to assign them a specific pool within the GP Gateway configuration? As, I mentioned, if a manually assign users specifically they can be assigned a separate client address. Group membership has no impact on which address they receive. Is there a way to leverage either AD or LDAP integrations to bridge this gap?
Hi this Sami from Okta support,
To send groups as a part of SAML assertion, in Okta you need to go to:
You can find more information about this integration here: https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Palo-Alto-Networks-GlobalProtect.html
Looking at this issue and the specific use case I suggest that you open a case with us to further understand your environment.