Autonomous DEM
Identify When an IdP is Blocking User Access
Table of Contents
Identify When an IdP is Blocking User Access
Use Access Analyzer to quickly find out whether an identity provider (IdP) is
blocking user access.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
You can use Access Analyzer with Cloud Identity Engine to quickly determine
whether a third-party identity provider (IdP) is blocking user access to a resource
so that you can navigate to the IdP and resolve the issue.
- Start a query for users whose access you’re interested in.Can mobile user <name> access <application> from prisma access location <location-name> using device <device name>Access Analyzer supports IdPs such as:
- Azure AD (Entra ID)
- Okta
- PingFederation
- PingOne
If an IdP is blocking the user’s access, Access Analyzer’s multidomain analysis indicates which IdPs are responsible:
- Analyze the access issue.If an IdP is blocking the user’s access, the query results will tell you that and the reason why:
In this case, the user can’t access the application because they don't belong to the user groups that have access to the application.
- In the query results, select Learn More or select to see details about the access block, such as:
- The suggested remediation
- User groups the user belongs to
- User groups that have access to the application
- In the query results, select Learn More or select to see details about the access block, such as:
- Follow the suggested remediation for the issue.In this case, if the IAM team determines that the user should have Slack access, someone with the appropriate permissions can log in to the IdP and move them to the user group with access to Slack. Alternatively, the IAM admin could grant Slack access to the user's current user group or give the user direct access.
- Run the query again to verify that the user now has access.
