Configure the Cloud Identity Engine in an Authentication Profile

After you Configure the Cloud Identity Engine as a Mapping Source on the Firewall and Configure an Identity Provider in the Cloud Identity Engine, you can create an Authentication profile that redirects users to the identity provider you configure for authentication.
User authentication with Prisma Access and GlobalProtect is planned for a future release of the Cloud Identity Engine.
  1. Configure an Authentication profile to use the Cloud Authentication Service.
    1. On the firewall, select
      Device
      Authentication Profile
      .
      On Panorama, to configure the Cloud Identity Engine in an Authentication profile for managed devices, select
      Device
      Authentication Profile
      . To use the Cloud Identity Engine in an Authentication profile for Panorama administrators, select
      Panorama
      Authentication Profile
      .
    2. Enter a
      Name
      for the Authentication profile.
    3. Select
      Cloud Authentication Service
      as the
      Type
      .
    4. Select the
      Region
      of your Cloud Identity Engine instance.
    5. Select the
      Instance
      you want to use for this Authentication profile.
    6. Select an IdP
      Profile
      where you want to redirect users to log in.
      The Cloud Identity Engine supports the following IdPs:
    7. Specify the
      Maximum Clock Skew (seconds)
      , which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
    8. Select
      force multi-factor authentication in cloud
      if your IdP is configured to require users to log in using multi-factor authentication (MFA).
  2. Configure the Authentication Portal settings to use the Authentication profile.
    1. Select
      Device
      User Identification
      Authentication Portal Settings
      .
    2. Edit
      the settings and select the
      Authentication Profile
      from the first step.
    3. Select
      Redirect
      as the
      Mode
      .
      For more information on how to configure redirect mode, refer to Configure Authentication Portal.
    4. Click
      OK
      .
  3. Create an Authentication Enforcement object that uses the Authentication profile to redirect users to log in using their IdP.
    1. Select
      Objects
      Authentication
      .
    2. Add
      an Authentication Enforcement object and enter a
      Name
      for the object.
    3. Select
      web-form
      as the
      Authentication Method
      .
    4. Select the
      Authentication Profile
      from the first step.
    5. (Optional) Enter a
      Message
      to display to users.
    6. Click
      OK
      .
  4. Create a URL list as a custom URL category to allow the necessary traffic for the Cloud Identity Engine.
    1. If you do not need to strictly limit traffic to your region, you can enter
      *.apps.paloaltonetworks.com
      . Otherwise, determine your region-based URL using the
      show cloud-auth-service-regions
      command to display the URLs for the region associated with your Cloud Identity Engine instance and enter each region-based URL. The following table includes the URLs for each region:
      Region
      Cloud Identity Engine Region-Based URL
      United States
      cloud-auth.us.apps.paloaltonetworks.com
      cloud-auth-service.us.apps.paloaltonetworks.com
      Europe
      cloud-auth.nl.apps.paloaltonetworks.com
      cloud-auth-service.nl.apps.paloaltonetworks.com
      United Kingdom
      cloud-auth.uk.apps.paloaltonetworks.com
      cloud-auth-service.uk.apps.paloaltonetworks.com
      Singapore
      cloud-auth.sg.apps.paloaltonetworks.com
      cloud-auth-service.sg.apps.paloaltonetworks.com
      Canada
      cloud-auth.ca.apps.paloaltonetworks.com
      cloud-auth-service.ca.apps.paloaltonetworks.com
      Japan
      cloud-auth.jp.apps.paloaltonetworks.com
      cloud-auth-service.jp.apps.paloaltonetworks.com
      Australia
      cloud-auth.au.apps.paloaltonetworks.com
      cloud-auth-service.au.apps.paloaltonetworks.com
      Germany
      cloud-auth.de.apps.paloaltonetworks.com
      cloud-auth-service.de.apps.paloaltonetworks.com
      United States - Government
      cloud-auth-service.gov.apps.paloaltonetworks.com
      cloud-auth.gov.apps.paloaltonetworks.com
    2. Enter the URLs that your IdP requires for user authentication (for example,
      *.okta.com
      ).
  5. Create a security policy rule to allow traffic to the IdP and Cloud Identity Engine and select the custom URL category as the match criteria.
  6. Configure an Authentication policy rule to use the Authentication Enforcement object and allow traffic to the custom URL category.
  7. Commit
    your changes and verify that the firewall redirects authentication requests to the Cloud Authentication Service.
    1. On the client device, use the browser to access a web page that requires authentication.
    2. Confirm that the access request redirects to the Cloud Authentication Service.
    3. Enter your credentials to log in.

Recommended For You