>
    Strata Copilot
    Configure Prisma Access Agent to Use the Default System Browser for SAML Authentication
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Agent
    3. Prisma Access Agent Administration
    4. Configure the Prisma Access Agent
    5. Set Up Prisma Access Agent User Authentication
    6. Set Up SAML Authentication With Cloud Identity Engine
    7. Prisma Access Agent Embedded Browser for SAML Authentication
    8. Configure Prisma Access Agent to Use the Default System Browser for SAML Authentication
    Download PDF
    Prisma Access Agent

    Configure Prisma Access Agent to Use the Default System Browser for SAML Authentication

    Table of Contents

    Configure Prisma Access Agent to Use the Default System Browser for SAML Authentication

    Learn how to configure the Prisma Access Agent to use the default system browser for SAML authentication.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • NGFW (Managed by Panorama)
    • Check the prerequisites for the deployment you're using
    • Minimum required Prisma Access Agent version: 25.3.0.43
    • macOS 14 and later or Windows 10 version 2024 and later desktop devices
    • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
    If you configure the Prisma Access Agent to authenticate users via SAML authentication, the agent will by default use the Prisma Access Agent embedded browser for SAML authentication. If you don’t want to use the embedded browser for SAML authentication, you can configure the agent to use the endpoint's default system browser, such as Chrome, Firefox, or Safari (on macOS systems).
    With the default system browser, end users can connect to the Prisma Access Agent or other SAML-enabled applications without having to reenter their credentials for a seamless single sign-on (SSO) experience. End users benefit from using the default system browser for SAML authentication because they can use the same login for Prisma Access Agent with their saved user credentials on the default system browser.
    In addition, on any browser that supports the Web Authentication (WebAuthn) API, you can use Universal 2nd Factor (U2F) security tokens such as YubiKeys for multi-factor authentication (MFA) to identify providers (IdPs) such as Azure or Okta.
    If you use the default system browser for SAML authentication, the browser tab remains open upon successful authentication. If the user does not close the browser tab each time after authentication, multiple browser tabs can remain open.
    You can configure the default system browser through predeployment using the configuration file (config.json), user-specific configurations on Strata Cloud Manager, or local overrides using the pacli command.
    1. Configure the Prisma Access Agent to use the default system browser using one of the following methods.
      • Use preconfiguration by installing the agent with the configuration file (config.json) that defines the intended browser type. To enable the system browser for SAML authentication, include the following key in config.json:
        "use_external_browser_for_auth": true
        The default is to use the embedded browser for SAML authentication.
      • (Strata Cloud Manager Managed Prisma Access only) Configure the Prisma Access Agent settings. The settings are applied per user or user group and take precedence over the config.json settings.
        1. Navigate to the Prisma Access Agent tab.
          1. Log in to Strata Cloud Manager as the administrator.
          2. Select ConfigurationNGFW and Prisma AccessConfiguration ScopeAccess AgentSetupPrisma Access Agent.
        2. Configure user authentication settings if needed for the user or user group for which you want to enable the default system browser.
        3. Add an agent setting or edit an existing agent setting.
        4. Select the criteria (OS or User Entities) that match the user or user group for which you want to enable the default system browser.
        5. Enable the option to use the default system browser for authentication.
          Select Show Advanced OptionsAuthentication and enable Use External Browser for Authentication. The default is unchecked (use the embedded browser).
        6. Configure other agent settings if needed and Save the settings.
        7. Push the configuration by selecting Push ConfigPush.
      • Configure browser type settings using the pacli command. To set the system browser for SAML authentication, use the following command on the endpoint:
        pacli browser system
        The pacli setting takes the highest precedence on browser selection. The default is to use the embedded browser for SAML authentication (pacli browser internal).
      You can use any of these methods, but the last setting overrides all other settings. Performing a configuration push on Strata Cloud Manager overrides the PACli command as well.
    2. (Optional) To verify and troubleshoot the browser configuration.
      1. Check the current browser setting by running the following command on the endpoint:
        pacli browser
      2. Check the agent logs for browser-related activities. Browser-related logs are written to the following files on the endpoint.
        On Windows:
        %ProgramData%\Palo Alto Networks\Prisma Access Agent\Logs\PABrowser.log
        On macOS:
        ~/Library/Logs/PaloAltoNetworks/Prisma Access Agent/PABrowser.log

    © 2026 Palo Alto Networks, Inc. All rights reserved.