Configure Cloud Identity Engine Authentication on the Firewall or Panorama
Table of Contents
Expand all | Collapse all
-
- Cloud Identity Engine Attributes
- Collect Custom Attributes with the Cloud Identity Engine
- View Directory Data
- Cloud Identity Engine User Context
- Create a Cloud Dynamic User Group
- Configure Third-Party Device-ID
- Configure an IP Tag Cloud Connection
- Configure Dynamic Privilege Access in the Cloud Identity Engine
- Configure Security Risk for the Cloud Identity Engine
-
-
- Configure Azure as an IdP in the Cloud Identity Engine
- Configure Okta as an IdP in the Cloud Identity Engine
- Configure PingOne as an IdP in the Cloud Identity Engine
- Configure PingFederate as an IdP in the Cloud Identity Engine
- Configure Google as an IdP in the Cloud Identity Engine
- Configure a SAML 2.0-Compliant IdP in the Cloud Identity Engine
- Configure a Client Certificate
- Configure an OIDC Authentication Type
- Set Up an Authentication Profile
- Configure Cloud Identity Engine Authentication on the Firewall or Panorama
- Configure the Cloud Identity Engine as a Mapping Source on the Firewall or Panorama
- Configure Dynamic Privilege Access in the Cloud Identity Engine
-
- Get Help
Configure Cloud Identity Engine Authentication on the Firewall or Panorama
After you Configure the Cloud Identity Engine as a Mapping Source on the Firewall or Panorama and Configure a SAML 2.0 Authentication Type, Configure a Client Certificate, or both, you can create an
authentication profile that redirects users to the authentication type (either a
client certificate or a SAML 2.0-compliant identity provider) you configure for
authentication.
If you use Panorama to manage your firewalls, configure an authentication profile in Panorama
then push the authentication profile to the managed firewalls.
Some steps in the following procedure are required only if you want to configure an
authentication policy rule on the firewall using the Cloud Identity Engine and
aren’t required if you want to authenticate administrators or to authenticate users
with Prisma Access or GlobalProtect. These steps are indicated below.
- Configure an authentication profile to use the Cloud Authentication
Service.
- On the firewall, select DeviceAuthentication Profile.
- Enter a Name for the authentication profile.
- Select Cloud Authentication Service as the Type.
- Select the Region of your Cloud Identity Engine
tenant.For more information on regions, refer to Activate the Cloud Identity Engine.
- Select the Cloud Identity Engine Instance you
want to use for this authentication profile. For more information on Cloud Identity Engine tenants, refer to Cloud Identity Engine Tenants.
- Select an authentication Profile that specifies the authentication type you want to use to authenticate users.
- Specify the Maximum Clock Skew (seconds), which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
- Select Force multi-factor authentication in cloud if your IdP is configured to require users to log in using multi-factor authentication (MFA).
- On the firewall, select DeviceAuthentication Profile.
- (Required for authentication policy rule only) Configure the Authentication
Portal settings to use the authentication profile.
- Select DeviceUser IdentificationAuthentication Portal Settings.
- Edit the settings and select the Authentication Profile from the first step.
- Select Redirect as the
Mode. For more information on how to configure redirect mode, refer to Configure Authentication Portal.
- Click OK.
- (Required for authentication policy rule only) Create an Authentication
Enforcement object that uses the authentication profile to redirect users to log
in using their authentication type.
- Select ObjectsAuthentication.
- Add an Authentication Enforcement object and enter a Name for the object.
- Select web-form as the Authentication Method.
- Select the Authentication Profile from the first step.
- (Optional) Enter a Message to display to users.
- Click OK.
- Create a URL list as a custom URL category to
allow the necessary traffic for the Cloud Identity Engine.
- If you don’t need to strictly limit traffic to your region, you can
enter *.apps.paloaltonetworks.com. Otherwise,
determine your region-based URL using the show
cloud-auth-service-regions command to display the URLs for
the region associated with your Cloud Identity Engine tenant and enter
each region-based URL. The following table includes the URLs for each
region:
Region Cloud Identity Engine Region-Based URL United States cloud-auth.us.apps.paloaltonetworks.com cloud-auth-service.us.apps.paloaltonetworks.comEurope cloud-auth.nl.apps.paloaltonetworks.com cloud-auth-service.nl.apps.paloaltonetworks.comUnited Kingdom cloud-auth.uk.apps.paloaltonetworks.com cloud-auth-service.uk.apps.paloaltonetworks.comSingapore cloud-auth.sg.apps.paloaltonetworks.com cloud-auth-service.sg.apps.paloaltonetworks.comCanada cloud-auth.ca.apps.paloaltonetworks.com cloud-auth-service.ca.apps.paloaltonetworks.comJapan cloud-auth.jp.apps.paloaltonetworks.com cloud-auth-service.jp.apps.paloaltonetworks.comAustralia cloud-auth.au.apps.paloaltonetworks.com cloud-auth-service.au.apps.paloaltonetworks.comGermany cloud-auth.de.apps.paloaltonetworks.com cloud-auth-service.de.apps.paloaltonetworks.comUnited States - Government cloud-auth-service.gov.apps.paloaltonetworks.com cloud-auth.gov.apps.paloaltonetworks.comIndia cloud-auth-service.in.apps.paloaltonetworks.com cloud-auth.in.apps.paloaltonetworks.comSwitzerland cloud-auth-service.ch.apps.paloaltonetworks.com cloud-auth.ch.apps.paloaltonetworks.comSpain cloud-auth-service.es.apps.paloaltonetworks.com cloud-auth.es.apps.paloaltonetworks.comItaly cloud-auth-service.it.apps.paloaltonetworks.com cloud-auth.it.apps.paloaltonetworks.comFrance cloud-auth-service.fr.apps.paloaltonetworks.com cloud-auth.fr.apps.paloaltonetworks.comChina cloud-auth-service.cn.apps.prismaaccess.cn cloud-auth.cn.apps.prismaaccess.cnThis region is only accessible in the Cloud Identity Engine within the specified region.Poland cloud-auth-service.pl.apps.paloaltonetworks.com cloud-auth.pl.apps.paloaltonetworks.comQatar cloud-auth-service.qa.apps.paloaltonetworks.com cloud-auth.qa.apps.paloaltonetworks.comTaiwan cloud-auth-service.tw.apps.paloaltonetworks.com cloud-auth.tw.apps.paloaltonetworks.comIsrael cloud-auth-service.il.apps.paloaltonetworks.com cloud-auth.il.apps.paloaltonetworks.comIndonesia cloud-auth-service.id.apps.paloaltonetworks.com cloud-auth.id.apps.paloaltonetworks.comSouth Korea cloud-auth-service.kr.apps.paloaltonetworks.com cloud-auth.kr.apps.paloaltonetworks.comSaudi Arabia cloud-auth-service.sa.apps.paloaltonetworks.com cloud-auth.sa.apps.paloaltonetworks.com - Enter the URLs that your IdP requires for user authentication (for example, *.okta.com).
- If you don’t need to strictly limit traffic to your region, you can
enter *.apps.paloaltonetworks.com. Otherwise,
determine your region-based URL using the show
cloud-auth-service-regions command to display the URLs for
the region associated with your Cloud Identity Engine tenant and enter
each region-based URL. The following table includes the URLs for each
region:
- Create a security policy rule to allow traffic to the authentication type and Cloud Identity Engine and select the custom URL category as the match criteria.
- Create a internet management profile in the trusted zone and enable response pages.
- (Required for authentication policy rule only) Configure an Authentication policy rule to use the Authentication Enforcement object and allow traffic to the custom URL category.
- (Panorama only) If you use Panorama to manage multiple
firewalls, configure the Cloud Identity Engine for Panorama.
- Select the Cloud Identity Engine authentication method
you want to use with Panorama.
- To configure the Cloud Identity Engine in an authentication profile for managed devices, select DeviceAuthentication Profile.
- To use the Cloud Identity Engine in an authentication profile for Panorama administrators, select PanoramaAuthentication Profile.
- Select PanoramaSetupManagement and Edit the Authentication Settings, then select the Authentication Profile for the Cloud Identity Engine tenant you want to associate with Panorama.
- Select PanoramaDevice Groups and Add or Edita device group.
- Select the Cloud Identity Engine and Add the Cloud Identity Engine tenant you want to associate with Panorama then click OK.
- Select the Cloud Identity Engine authentication method
you want to use with Panorama.
- Commit your changes and verify
that the firewall redirects authentication requests to the Cloud
Authentication Service.
- On the client device, use the browser to access a webpage that requires authentication.
- Confirm that the access request redirects to the Cloud Authentication Service.
- Enter your credentials to log in.