I feel like I've read every document on this forum but I can't seem to find a solid answer to this question. I'm sure someone will link 4 other posts..... 🤦♂️
I am using SAML Auth to Entra for GlobalProtect. I can auth to the Portal if I specify the user directly (using domain.com\username - username@domain.com does not work). I can also auth to the gateway using the same setup or (the way I'm doing it) using an authentication cookie. I can also specify Security rules using the domain.com\username (if using the cookie) or username@domain.com (if not using the cookie) . All of that is working as expected (after many many failed attempts 😂).
Next up, I want to use Entra groups to filter traffic on the Portal, Gateway and Security rules. I've tried specifying the 'group' attribute in the SAML config (and the same on the Entra side) with no luck.
Looking at debug logs on gpsvc.log, I can see a message with the following:
"GetUsernamesAndUsergroups: vsys (vsys1); user (username@domain.com); domain ()"}
"GetUsernamesAndUsergroups: response &{Email: UserAttrs:[domain.com\\username] Groups:[] GroupReady:true}"}
I'm assuming this means no groups are being passed down from Entra. Since I have to request Entra updates (no permissions myself), I'm hoping someone can definitely tell me, in 2025, with PanOS v11.1.x, do I need to set up CIE to make this work or is there a way to get group info using the standard Entra connector or if I'm just misconfiguring either the Auth Profile in Palo or the groups attribute (which I can't see) in Entra?
I've tried a couple of options here but this is what it currently looks like:
Thanks in advance for any wisdom you can impart!
