Cloud Identity Engine Getting Started
    : Configure Cloud Identity Engine Authentication on the Firewall or Panorama
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud Identity
    3. Cloud Identity Engine Getting Started
    4. Authenticate Users with the Cloud Identity Engine
    5. Configure Cloud Identity Engine Authentication on the Firewall or Panorama
    Download PDF

    Cloud Identity Engine Getting Started

    Configure Cloud Identity Engine Authentication on the Firewall or Panorama

    Table of Contents

    Configure Cloud Identity Engine Authentication on the Firewall or Panorama

    After you Configure the Cloud Identity Engine as a Mapping Source on the Firewall or Panorama and Configure a SAML 2.0 Authentication Type, Configure a Client Certificate, or both, you can create an authentication profile that redirects users to the authentication type (either a client certificate or a SAML 2.0-compliant identity provider) you configure for authentication.
    If you use Panorama to manage your firewalls, configure an authentication profile in Panorama then push the authentication profile to the managed firewalls.
    Some steps in the following procedure are required only if you want to configure an authentication policy rule on the firewall using the Cloud Identity Engine and aren’t required if you want to authenticate administrators or to authenticate users with Prisma Access or GlobalProtect. These steps are indicated below.
    1. Configure an authentication profile to use the Cloud Authentication Service.
      1. On the firewall, select
        Device
        Authentication Profile
        .
      2. Enter a
        Name
         for the authentication profile.
      3. Select
        Cloud Authentication Service
         as the
        Type
        .
      4. Select the
        Region
         of your Cloud Identity Engine tenant.
        For more information on regions, refer to Activate the Cloud Identity Engine.
      5. Select the Cloud Identity Engine
        Instance
         you want to use for this authentication profile.
        For more information on Cloud Identity Engine tenants, refer to Cloud Identity Engine Tenants.
      6. Select an authentication
        Profile
         that specifies the authentication type you want to use to authenticate users.
      7. Specify the
        Maximum Clock Skew (seconds)
        , which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
      8. Select
        Force multi-factor authentication in cloud
         if your IdP is configured to require users to log in using multi-factor authentication (MFA).
    2. (Required for authentication policy rule only) Configure the Authentication Portal settings to use the authentication profile.
      1. Select
        Device
        User Identification
        Authentication Portal Settings
        .
      2. Edit
         the settings and select the
        Authentication Profile
         from the first step.
      3. Select
        Redirect
         as the
        Mode
        .
        For more information on how to configure redirect mode, refer to Configure Authentication Portal.
      4. Click
        OK
        .
    3. (Required for authentication policy rule only) Create an Authentication Enforcement object that uses the authentication profile to redirect users to log in using their authentication type.
      1. Select
        Objects
        Authentication
        .
      2. Add
         an Authentication Enforcement object and enter a
        Name
         for the object.
      3. Select
        web-form
         as the
        Authentication Method
        .
      4. Select the
        Authentication Profile
         from the first step.
      5. (Optional) Enter a
        Message
         to display to users.
      6. Click
        OK
        .
    4. Create a URL list as a custom URL category to allow the necessary traffic for the Cloud Identity Engine.
      1. If you don’t need to strictly limit traffic to your region, you can enter
        *.apps.paloaltonetworks.com
        . Otherwise, determine your region-based URL using the
        show cloud-auth-service-regions
         command to display the URLs for the region associated with your Cloud Identity Engine tenant and enter each region-based URL. The following table includes the URLs for each region:
        Region
        Cloud Identity Engine Region-Based URL
        United States
        cloud-auth.us.apps.paloaltonetworks.com
        cloud-auth-service.us.apps.paloaltonetworks.com
        Europe
        cloud-auth.nl.apps.paloaltonetworks.com
        cloud-auth-service.nl.apps.paloaltonetworks.com
        United Kingdom
        cloud-auth.uk.apps.paloaltonetworks.com
        cloud-auth-service.uk.apps.paloaltonetworks.com
        Singapore
        cloud-auth.sg.apps.paloaltonetworks.com
        cloud-auth-service.sg.apps.paloaltonetworks.com
        Canada
        cloud-auth.ca.apps.paloaltonetworks.com
        cloud-auth-service.ca.apps.paloaltonetworks.com
        Japan
        cloud-auth.jp.apps.paloaltonetworks.com
        cloud-auth-service.jp.apps.paloaltonetworks.com
        Australia
        cloud-auth.au.apps.paloaltonetworks.com
        cloud-auth-service.au.apps.paloaltonetworks.com
        Germany
        cloud-auth.de.apps.paloaltonetworks.com
        cloud-auth-service.de.apps.paloaltonetworks.com
        United States - Government
        cloud-auth-service.gov.apps.paloaltonetworks.com
        cloud-auth.gov.apps.paloaltonetworks.com
        India
        cloud-auth-service.in.apps.paloaltonetworks.com
        cloud-auth.in.apps.paloaltonetworks.com
        Switzerland
        cloud-auth-service.ch.apps.paloaltonetworks.com
        cloud-auth.ch.apps.paloaltonetworks.com
        Spain
        cloud-auth-service.es.apps.paloaltonetworks.com
        cloud-auth.es.apps.paloaltonetworks.com
        Italy
        cloud-auth-service.it.apps.paloaltonetworks.com
        cloud-auth.it.apps.paloaltonetworks.com
        France
        cloud-auth-service.fr.apps.paloaltonetworks.com
        cloud-auth.fr.apps.paloaltonetworks.com
        China
        cloud-auth-service.cn.apps.prismaaccess.cn
        cloud-auth.cn.apps.prismaaccess.cn
        This region is only accessible in the Cloud Identity Engine within the specified region.
        Poland
        cloud-auth-service.pl.apps.paloaltonetworks.com
        cloud-auth.pl.apps.paloaltonetworks.com
        Qatar
        cloud-auth-service.qa.apps.paloaltonetworks.com
        cloud-auth.qa.apps.paloaltonetworks.com
        Taiwan
        cloud-auth-service.tw.apps.paloaltonetworks.com
        cloud-auth.tw.apps.paloaltonetworks.com
        Israel
        cloud-auth-service.il.apps.paloaltonetworks.com
        cloud-auth.il.apps.paloaltonetworks.com
        Indonesia
        cloud-auth-service.id.apps.paloaltonetworks.com
        cloud-auth.id.apps.paloaltonetworks.com
        Saudi Arabia
        cloud-auth-service.sa.apps.paloaltonetworks.com
        cloud-auth.sa.apps.paloaltonetworks.com
      2. Enter the URLs that your IdP requires for user authentication (for example,
        *.okta.com
        ).
    5. Create a security policy rule to allow traffic to the authentication type and Cloud Identity Engine and select the custom URL category as the match criteria.
    6. Create a internet management profile in the trusted zone and enable response pages.
    7. (Required for authentication policy rule only) Configure an Authentication policy rule to use the Authentication Enforcement object and allow traffic to the custom URL category.
    8. (
      Panorama only
      ) If you use Panorama to manage multiple firewalls, configure the Cloud Identity Engine for Panorama.
      1. Select the Cloud Identity Engine authentication method you want to use with Panorama.
        • To configure the Cloud Identity Engine in an authentication profile for managed devices, select
          Device
          Authentication Profile
          .
        • To use the Cloud Identity Engine in an authentication profile for Panorama administrators, select
          Panorama
          Authentication Profile
          .
      2. Select
        Panorama
        Setup
        Management
         and
        Edit
         the
        Authentication Settings
        , then select the
        Authentication Profile
         for the Cloud Identity Engine tenant you want to associate with Panorama.
      3. Select
        Panorama
        Device Groups
         and
        Add
         or
        Edit
        a device group.
      4. Select the
        Cloud Identity Engine
         and
        Add
         the Cloud Identity Engine tenant you want to associate with Panorama then click
        OK
        .
    9. Commit
       your changes and verify that the firewall redirects authentication requests to the Cloud Authentication Service.
      1. On the client device, use the browser to access a webpage that requires authentication.
      2. Confirm that the access request redirects to the Cloud Authentication Service.
      3. Enter your credentials to log in.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.