Palo Alto offering user based Application Firewalling mean it can be integrated with with third party agent using LDAP and then profile users acceding to application usage.
SRX also claims that it can do application firewalling for user group but how to get authenticate application user from external agent e.g MS Domain Controller , perhaps through integration of UAC with SRX and user based policy enforcement through Infrant Controller.
Your assessment seems right to me. With Palo Alto you install an agent that can communicate with MS domain sources of ip address information connected to user login id. They have agents for domain controllers, terminal servers and exchange server for example. Thus the firewall gets an ip address to associate with a user or group for the purpose of writting rules.
The SRX competitor to this seems to be AppSecure as the marketing overview lists user and group as possible for writting rules. But in spending 20 minutes in the support portal I can't find any documentation on HOW to use users or groups in rules, much less how to get the user/group information from the domain. So I don't know how this works in the SRX world.
So AppSecure is the Palo Alto comepetitor, we just need to get full information on how the deploy works with AD user and groups information.
The SRX has had other mechanisms. For ftp or http traffic you can write rules that require a user to login and you can direct that login to a MS RADIUS server associated with an AD user group.
The UAC solution can write user based rules to AD and do so even on the fly. But this requires you depoly 802.1x to acheive this result.