Prisma Access Browser
Certificate-Based Enforcement
Table of Contents
Certificate-Based Enforcement
Ensure that access to Certificate-enabled applications is only possible from the Prisma Access Browser
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Microsoft Entra ID Certificate Enforcement
The Prisma Access Browser comes with a dedicated Public Key
Infrastructure (PKI) used for enforcement. Once enabled, each browser receives a
dedicated, unique client certificate issued by the PKI (each tenant has a unique
root CA used to sign the client certificates). Certificate enforcement ensures
that users can log in to the identity provider only when the dedicated root CA
signs the Provided Client Certificate.
Microsoft Entra ID Certificate based authentication (CBA)
allows administrators to configure Microsoft Entra ID to accept and require
authentication using a client certificate. This enforcement method utilizes the
CBA feature to ensure that access to an application is only possible using the
dedicated client certificate that comes with the browser.
This feature requires Microsoft Entra ID with
Licensing Allowing CBA.
- Obtain rhe Prisma Access Browser Root Certificate
- Go to the Prisma Access Management Console and select Administration > Integrations.
- Select and enable Google Workspace Integration.
- In the first section, click Prisma Access Certificate to download the unique tenant root certificate.
- Save the certificate to the Base-64 encoded (X.509) - .cer format.
- Windows - Select Open the certificate > details > copy to file and save it in the new format.
- macOS / Linux - Use OpenSSL.
Configure Policy to Send Certificate- Go to the Prisma Access Management Console and select Policy > Rules > Browser Customization.
- Create a rule that targets the relevant scope of Users.
- Enable the Custom Browser Preferences control and choose
Custom prefs. Enter the following:
{ "talon.chrome_enterprise_policies": { "AutoSelectCertificateForUrls": [ "{\"pattern\":\"https://[*.]certauth.login.microsoftonline.com\",\"filter\":{\"ISSUER\":{\"O\":\"Talon Endpoint Verification\"}}}" ] }}
- Save and apply the policy.
- Configure the CBA in the Entra IDThe following steps display the directions for a basic sample CBA configuration. The configuration required for each organization will be different. Refer to How to configure Microsoft Entra certificate-based authentication for help with configuring more complex scenarios.
- Upload the Prisma Access root CA.
- Log in to the Microsoft Entra Admin Center.
- Navigate to Protection > Security Center > Certificate authorities.
- Upload the Prisma Access root certificate, configured to be a root CA.
- Configure the CBA.
- Navigate to Protection > Authentication Methods > Policies.
- Open Certificate based authentication.
- Click Enable.
- Configure the User Groups that will be using Prisma Access with Certificate based enforcement.
- Click the Configure tab.
- Select multi-factor authentication with Low affinity.
- Add an authentication binding rule with the Prisma Access root CA.
- Add a user name binding rule using the RFC822Name certificate field and the CertificateUserIDs user attribute.
- Update the User Properties:This step will configure all relevant Prisma Access users with a property bound to the issued certificate. You can do this manually or automatically using the API/Powershell.
- Edit the user Properties > Identity > Authorization Info. Add the "Certificate user IDs" property with value: "X509:<RFC822>user-email" (For example "X509:<RFC822>user@example.com").
- Test the CBA Authentication.
- Login to an SSO application using a Prisma Access-CBA-enabled user.
- Select Certificate Based Authentication- authentication should succeed.
- Test this by signing in using another browser/authentication. The authentication should fail as the relevant client certificate is not available in the browser.
Configure the application.This configuration enables you to ensure that access to select secure applications will be available only from the `Prisma Access Browser using CBA with the Conditional Access Feature.- Create a custom Authentication Strength for the Prisma Access
certificate.
- Open the Microsoft Entra Admin Center.
- Navigate to Protection > Authentication methods > Authentication strengths.
- Create a new Authentication Strength.
- Select only Certificate-based authentication (Multifactor).
- Select advanced and choose the Prisma Access root CA to allow under this authentication strength.
- Create a Conditional Access Policy.
- Navigate to Applications > Enterprise applications > Conditional Access > Policies .
- Create a new Conditional Access Policy.
- In the Users section, select the Target Users.
- Under Target resources, select the target applications.
- Select Grant and Select requiring the authentication strength you created in the previous step.
This will ensure that authentication for the chosen applications will only be allowed from Prisma Access using CBA. Re-test the login to ensure that login is now possible only using Certificate-based authentication.Google Workspace Certification Enforcement
This feature ensures that access to applications integrated with Google Workspace is only possible using the Prisma Access Browser. Prisma Access comes with a dedicated Public Key Infrastructure (PKI) used for enforcement. Once enabled, each browser is provisioned with a dedicated, unique client certificate issued by the PKI (each tenant has a unique root CA used to sign the client certificates). Certificate enforcement ensures login to the identity provider is only allowed when the client certificate signed by the dedicated root CA is provided.You need to set up the following prerequisites before configuring this option:- Google Workspace Context-Aware Access feature, available for Enterprise or Education accounts, or with Cloud Identity Premium.
- Setting up SSO Authentication fto Prisma Access with Group.
- Obtain the Prisma Access Browser Access root Certificate
- Go to the Prisma Access Browser Management Console and select Administration > Integration.
- Select and Enable Google Workspace Integration.
- In the first section, click Prisma Access Certificate to download the unique tenant root certificate.
Add the Prisma Access Browser Certificate to Google Workspace- Go to Google Admin Console > Devices > Networks.
- Click on Certificates, then Add Certificate and upload the Prisma Access certificate.
- Check the Endpoint Verification option and click Add.
Add the Prisma Access Browser Certificate to Google Workspace- Go to Google Admin Console -> Security -> Access and data control -> Context-Aware Access.
- Make sure that Turn On is selected.
- Click Access levels, then select Create new access level.
- Enter a Name for the Access Level. We recommend that you call it Prisma Access Browsers.
- Click the Advanced tab and paste the text found at the
end of section 2 on the instructions on the page. The following
is sample
text.device.certificates.exists(cert,cert.is_valid && cert.root_ca_fingerprint =="3HiBH90JUEGvo6kwGJxbkfKeD7pQAcqTzQLbCGH+t0s")Assign the New Access Level to Apps
- Go to Google Admin Console -> Security -> Access and data control -> Context-Aware Access.
- Click Assign access levels.
- Select one or more apps from the list and click Assign.
- Check the newly-created Prisma Access Browsers access level (the name that you created in step 2, above).
Validation- Install the Prisma Access Browser.
- Wait while the new Google Workspace configuration occurs; this usually takes approximately 5 minutes.
- Perform a successful sign-in to an assigned app from Prisma Access Browser. Attempt to sign -in to the same application from a different browser. It shouldn't succeed.
- Upload the Prisma Access root CA.