>
    Strata Copilot
    Set Up SAML User Authentication With CIE (Prisma Access Deployment)
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Agent
    3. Prisma Access Agent Administration
    4. Configure the Prisma Access Agent
    5. Set Up Prisma Access Agent User Authentication
    6. Set Up SAML Authentication With Cloud Identity Engine
    7. Set Up SAML User Authentication With CIE (Prisma Access Deployment)
    Download PDF
    Prisma Access Agent

    Set Up SAML User Authentication With CIE (Prisma Access Deployment)

    Table of Contents

    Set Up SAML User Authentication With CIE (Prisma Access Deployment)

    Learn how to set up the user authentication for Prisma Access Agent users in Prisma Access deployments.
    For Prisma Access deployments, you can use Strata Cloud Manager or Panorama to set up user authentication so that only legitimate Prisma Access Agent users have access to your services and applications.
    Before you begin, Set Up Cloud Identity Engine for Prisma Access Agent User Authentication and set up an authentication profile.
    You can set up user authentication depending on the management platform you're using.

    Set Up SAML Authentication with CIE (Prisma Access Deployment on Strata Cloud Manager)

    Use Strata Cloud Manager to set up the authentication for Prisma Access Agent users in Prisma Access deployments.
    You can use Strata Cloud Manager to set up user authentication using SAML with Cloud Identity Engine so that only legitimate Prisma Access Agent users have access to your services and applications.
    1. Set up an authentication profile that refers to the Cloud Identity Engine authentication profile that you created in Cloud Identity Engine, which validates the login credentials of end users who access resources and applications using the Prisma Access Agent.
      1. In Strata Cloud Manager, select ConfigurationNGFW and Prisma AccessConfiguration ScopeAccess Agent.
      2. Select Identity ServicesAuthenticationAuthentication Profiles.
      3. Add Profile.
      4. Select Authentication MethodCloud Identity Engine.
      5. Enter a Profile Name.
      6. Select an available Profile (which comes from Cloud Identity Engine).
      7. Enter the Maximum Clock Skew in seconds, which is the allowed system time difference (in seconds) between the IdP and Prisma Access when Prisma Access validates IdP messages. The default value is 60 seconds, and the range is 1-900 seconds. If the difference exceeds this value, authentication fails.
      8. By default, all users can authenticate with Prisma Access. To select specific users or user groups, select Match allAdd User and select the user or user group that you want to add.
        You can add more users or groups by clicking the plus sign + and searching for a user or user group. Click away from the drop-down to save your query.
      9. Save your new profile.
    2. In Strata Cloud Manager, select ConfigurationNGFW and Prisma AccessConfiguration ScopeAccess AgentSetup.
    3. If this is your first time setting up the Prisma Access Agent, click Set Up User Authentication.
      Otherwise, select an authentication method to update it or Add User Authentication.
    4. To authenticate users to Prisma Access, select an Authentication Type.
      The following authentication types are available with Cloud Identity Engine:
      • (Unsupported on Prisma Access Agent Linux) Client Certificate (Cloud Identity Engine)—Select this to use a client certificate from the Cloud Identity Engine to obtain usernames and authenticate Prisma Access Agent users to Prisma Access. To authenticate users based on a client certificate, one of the certificate fields, such as the Subject Name field, must identify the username. End users who successfully authenticate through client certificate authentication don't have the option to sign out of the Prisma Access Agent.
      • SAML (Cloud Identity Engine)—Select this to use SAML 2.0 to integrate Prisma Access with an identity provider (IdP) that controls access to both external and internal services and applications. SAML single sign-on (SSO) enables one login to access multiple applications, and is helpful in environments where each user accesses many applications and authenticating for each one would impede user productivity. In this case, SAML single sign-on (SSO) enables one login to access multiple applications. This is the default selection.
      • (Unsupported on Prisma Access Agent Linux) Client Certificate OR SAML (Cloud Identity Engine)—Select this to grant access to end users as long as they have successfully passed either client certificate authentication or SAML authentication.
      • (Unsupported on Prisma Access Agent Linux) Client Certificate AND SAML (Cloud Identity Engine)—Select this to require users to pass both certificate authentication and SAML authentication.
    5. Select the endpoint operating system to Authenticate Users From. Selecting Match Any will authenticate users from all supported operating systems. The default is Match Any.
    6. Select a profile to use for authentication based on the authentication type.
      • (Unsupported on Prisma Access Agent Linux) If you're using the Client Certificate (Cloud Identity Engine) authentication type, select a Certificate Profile to verify the certificates that Prisma Access Agent users present to Prisma Access during a connection request. The certificate profile specifies the contents of the username and user domain fields; lists CA certificates; criteria for blocking a session; and offers ways to determine the revocation status of CA certificates.
        Because the certificate is part of the authentication for the user, you must predeploy certificates used in certificate profiles to your users before their initial login. The certificate profile specifies which certificate field contains the username (Subject or Subject Alt). If the certificate profile specifies Subject in the Username Field, the certificate presented by the endpoint must contain a Common Name for the endpoint to connect. If the certificate profile specifies a Subject-Alt with an Email or Principal Name as the Username Field, the certificate must contain the corresponding fields, which will be used as the username when the Prisma Access Agent authenticates to Prisma Access.
        If no certificate profile is listed, you need to configure a certificate profile in Cloud Identity Engine.
      • If you're using SAML (Cloud Identity Engine), select an Authentication Profile. This authentication profile is the profile you set up in step 1, which defines the authentication service that validates the login credentials of end users who access resources and applications using the Prisma Access Agent.
      • (Unsupported on Prisma Access Agent Linux) If you're using Client Certificate OR SAML (Cloud Identity Engine), select a Certificate Profile and an Authentication Profile. This will grant access to end users as long as they have successfully passed either client certificate authentication or SAML authentication.
      • (Unsupported on Prisma Access Agent Linux) If you're using Client Certificate AND SAML (Cloud Identity Engine), select a Certificate Profile and an Authentication Profile. This will require users to pass both certificate authentication and SAML authentication.
    7. Save your user authentication settings.
    8. Your new or updated user authentication will appear in the User Authentications table. Ensure that the OS listed in the Authenticate Users From column follows the hierarchy with the OS-specific profiles at the top, and the Any OS at the bottom. If the user authentication profile with the Any OS is placed above the OS-specific authentication profiles, the Any OS profile won’t get matched since Prisma Access Agent always selects the authentication profile with the exact matching OS.
      You can select a user authentication profile and Move it up or down the table.

    Set Up SAML Authentication with CIE (Prisma Access Deployment on Panorama)

    Use Panorama to set up the authentication for Prisma Access Agent users in Prisma Access deployments.
    For Panorama Managed Prisma Access deployments, you can set up user authentication so that only legitimate Prisma Access Agent users have access to your services and applications.
    1. From the Cloud Services plugin in Panorama, select PanoramaCloud ServicesPrisma Access AgentLaunch Prisma Access Agent.
    2. Select ConfigurationPrisma Access AgentSettings.
    3. Select the Prisma Access Agent tab.
    4. Click Add User Authentication or select an existing user authentication from the table to update it.
    5. Select the endpoint operating system to Authenticate Users From. Selecting Match Any will authenticate users from all supported operating systems. The default is Match Any.
    6. Select an Authentication Type.
      The following authentication types are available with Cloud Identity Engine:
      • SAML—Select this to use SAML 2.0 to integrate Prisma Access with an identity provider (IdP) that controls access to both external and internal services and applications. SAML single sign-on (SSO) enables one login to access multiple applications, and is helpful in environments where each user accesses many applications and authenticating for each one would impede user productivity. In this case, SAML single sign-on (SSO) enables one login to access multiple applications. This is the default selection.
      • (Unsupported on Prisma Access Agent Linux) Client Certificate—Select this to use a client certificate from the Cloud Identity Engine to obtain usernames and authenticate Prisma Access Agent users to Prisma Access. To authenticate users based on a client certificate, one of the certificate fields, such as the Subject Name field, must identify the username. End users who successfully authenticate through client certificate authentication don't have the option to sign out of the Prisma Access Agent.
      • (Unsupported on Prisma Access Agent Linux) Client Certificate OR SAML—Select this to grant access to end users as long as they have successfully passed either client certificate authentication or SAML authentication.
      • (Unsupported on Prisma Access Agent Linux) Client Certificate AND SAML—Select this to require users to pass both certificate authentication and SAML authentication.
    7. Select an Authentication Profile to use for authentication based on the authentication type.
      • If you're using SAML, select an Authentication Profile or Create New. This authentication profile maps to the Cloud Identity Engine authentication profile that validates the login credentials of end users who access applications and resources using the Prisma Access Agent.
        If you're creating a new profile:
        1. Click Create New.
        2. Enter a Profile Name and select an available Cloud Identity Engine Profile.
        3. (Optional) Enter the Maximum Clock Skew (seconds), which is the allowed system time difference (in seconds) between the IdP and Prisma Access when Prisma Access validates IdP messages. The default value is 60 seconds, and the range is 1-900 seconds. If the difference exceeds this value, authentication fails.
        4. Save your new profile. The profile is added to the Authentication Profile list.
        5. Select the profile you created if you want to use it to authenticate your users.
      • (Unsupported on Prisma Access Agent Linux) If you're using the Client Certificate authentication type, select a Certificate Profile to verify the certificates that Prisma Access Agent users present to Prisma Access during a connection request. The certificate profile specifies the contents of the username and user domain fields; lists CA certificates; criteria for blocking a session; and offers ways to determine the revocation status of CA certificates.
        Because the certificate is part of the authentication for the user, you must predeploy certificates used in certificate profiles to your users before their initial login. The certificate profile specifies which certificate field contains the username (Subject or Subject Alt). If the certificate profile specifies Subject in the Username Field, the certificate presented by the endpoint must contain a Common Name for the endpoint to connect. If the certificate profile specifies a Subject-Alt with an Email or Principal Name as the Username Field, the certificate must contain the corresponding fields, which will be used as the username when the Prisma Access Agent authenticates to Prisma Access.
      • (Unsupported on Prisma Access Agent Linux) If you're using Client Certificate OR SAML, select a Certificate Profile and an Authentication Profile. This will grant access to end users as long as they have successfully passed either client certificate authentication or SAML authentication.
      • (Unsupported on Prisma Access Agent Linux) If you're using Client Certificate AND SAML, select a Certificate Profile and an Authentication Profile. This will require users to pass both certificate authentication and SAML authentication.
    8. Save your user authentication settings.

    © 2026 Palo Alto Networks, Inc. All rights reserved.