Configure the Cloud Identity Engine in an Authentication
After you Configure an Identity Provider in the Cloud Identity Engine, you can create an Authentication profile that redirects users to the identity provider you configure for authentication.
User authentication with Prisma Access and GlobalProtect is planned for a future release of the Cloud Identity Engine.
- Configure an Authentication profile to use the Cloud Authentication Service.
- On the firewall, select.DeviceAuthentication Profile
- Enter aNamefor the Authentication profile.
- SelectCloud Authentication Serviceas theType.
- Select theRegionof your Cloud Identity Engine instance.
- Select theInstanceyou want to use for this Authentication profile.
- Select an IdPProfilewhere you want to redirect users to log in. For more information, see Configure an Identity Provider in the Cloud Identity Engine.
- Specify theMaximum Clock Skew (seconds), which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
- EnableMfaif your IdP is configured to require users to log in using multi-factor authentication (MFA).
- Configure the Authentication Portal settings to use the Authentication profile.
- Select.DeviceUser IdentificationAuthentication Portal Settings
- Editthe settings and select theAuthentication Profilefrom the first step.
- SelectRedirectas theMode.For more information on how to configure redirect mode, refer to Configure Authentication Portal.
- Create an Authentication Enforcement object that uses the Authentication profile to redirect users to log in using their IdP.
- Addan Authentication Enforcement object and enter aNamefor the object.
- Selectweb-formas theAuthentication Method.
- Select theAuthentication Profilefrom the first step.
- (Optional) Enter aMessageto display to users.
- Create a URL list as a custom URL category to allow the necessary traffic for the Cloud Identity Engine.
- If you do not need to strictly limit traffic to your region, you can enter*.apps.paloaltonetworks.com. Otherwise, determine your region-based URL using theshow cloud-auth-service-regionscommand to display the URLs for the region associated with your Cloud Identity Engine instance and enter each region-based URL. The following table includes the URLs for each region:RegionCloud Identity Engine Region-Based URLUnited Statescloud-auth.us.apps.paloaltonetworks.comcloud-auth-service.us.apps.paloaltonetworks.comEuropecloud-auth.nl.apps.paloaltonetworks.comcloud-auth-service.nl.apps.paloaltonetworks.comUnited Kingdomcloud-auth.uk.apps.paloaltonetworks.comcloud-auth-service.uk.apps.paloaltonetworks.comSingaporecloud-auth.sg.apps.paloaltonetworks.comcloud-auth-service.sg.apps.paloaltonetworks.comCanadacloud-auth.ca.apps.paloaltonetworks.comcloud-auth-service.ca.apps.paloaltonetworks.comJapancloud-auth.jp.apps.paloaltonetworks.comcloud-auth-service.jp.apps.paloaltonetworks.comAustraliacloud-auth.au.apps.paloaltonetworks.comcloud-auth-service.au.apps.paloaltonetworks.comGermanycloud-auth.de.apps.paloaltonetworks.comcloud-auth-service.de.apps.paloaltonetworks.com
- Enter the URLs that your IdP requires for user authentication (for example,*.okta.com).
- Create a security policy rule to allow traffic to the IdP and Cloud Identity Engine and select the custom URL category as the match criteria.
- Configure an Authentication policy rule to use the Authentication Enforcement object and allow traffic to the custom URL category.
- Commityour changes and verify that the firewall redirects authentication requests to the Cloud Authentication Service.
- On the client device, use the browser to access a web page that requires authentication.
- Confirm that the access request redirects to the Cloud Authentication Service.
- Enter your credentials to log in.
Recommended For You
Recommended videos not found.