This feature ensures that access to applications
integrated with F5 Certificates is only possible using the Prisma® Access
Browser.Prisma Access comes with a dedicated public key
infrastructure (PKI) used for enforcement. Once enabled, each browser is
provisioned with a dedicated, unique client certificate issued by the PKI (each
tenant has a unique root CA used to sign the client certificates). Certificate
enforcement ensures that login to the identity provider is only allowed when the
client certificate signed by the dedicated root CA is provided.
The Prisma
Access Browser solution uses an mTLS solution that generates a unique
certificate for each user and browser. This certificate, signed by the Prisma
Access Browser certificate authority, is stored directly in the user's
browser.
When a user connects to the F5 gateway from an external location,
the F5 initiates mTLS authentication by requesting the user's certificate and
verifying it against the Prisma Access Browser certificate
authority.