Seamless User Authentication with Refresh Tokens in Prisma Access Agent
Prisma Access Agent uses refresh tokens for efficient authentication to reduce login
frequency while maintaining security.
Where Can I Use This?
What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)
Prisma Access 5.1 Preferred or Innovation
Prisma Accesslicense with the
Mobile User subscription
Prisma Access Agent version:
25.1.0.14
macOS 14 and later or Windows 10 version 2024 and later desktop devices
Contact your Palo Alto Networks account representative to
activate the Prisma Access Agent feature
Prisma Access Agent uses refresh tokens to streamline authentication for users,
minimizing disruptions to their work. When a user's access token expires, the refresh
token automatically obtains a new one without requiring user intervention. This process
occurs in the background, ensuring uninterrupted access to cloud and on-premises
resources for mobile users and remote offices.
By default, the refresh token has a 7-day lifetime, enabling secure access without
frequent logins. Users receive a notification on their Prisma Access Agent app 60
minutes before token expiration.
Notification Process
The user is notified of the impending token expiration based on what is configured in
the Notify Before Session Expires and Session
Timeout Expiration Message setting in the Prisma Access Agent app
settings. If that Notify Before Session Expires option is set
to 0, the agent will default to 60 minutes.
For example, 60 minutes before token expiration, the user will receive a notification
pop-up from their system tray. The following image is an example of the pop-up on a
macOS desktop device.
When they click on the pop-up, the Prisma Access Agent app opens showing the
notification bar at the bottom of the window. The user merely has to click on the
notification bar to start a new session.
If the user's identity provider (IdP) session is active, authentication with the
agent continues without user action. In the background, when the user clicks the
notification, the agent disconnects the tunnel, reauthenticates with the server,
gets a new gateway token, and reestablishes the tunnel.
For expired IdP sessions, users will need to complete the SAML authentication flow to
renew their session. A web browser will open to redirect the user to their
organization’s IdP login page where they can proceed with authenticating with their
organization.
After successful authentication, the user will be connected to the Prisma
Access Agent.
