Prisma Access
Authorize User Group Mapping in Cloud Identity Engine for Dynamic Privilege Access
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Authorize User Group Mapping in Cloud Identity Engine for Dynamic Privilege
Access
Where Can I Use This? | What Do I Need? |
---|---|
|
Before you begin, make sure that you have completed the following prerequisites:
In this workflow, we have used Azure as the IdP. You can also use Okta as your
IdP.
- From Strata Cloud Manager, open the Cloud Identity Engine app associated with your tenant.
- Add an Azure directory or an Okta directory as IdP for mobile users.
- Download the SP Metadata in the Cloud Identity Engine app.
- Go to.AuthenticationAuthentication TypesAdd New Authentication Type
- Set Upa SAML 2.0 authentication type.SelectDynamic service provider metadata.
- Download SP Metadata.
- Log in to the Azure Portal and selectAzure Active Directory.Make sure you complete all the necessary steps in the Azure portal.If you have more than one directory,Switch directoryto select the directory you want to use with the Cloud Identity Engine.
- SelectEnterprise applicationsand clickNew application.
- Search forPalo Alto Networks Cloud Identity Engine - Cloud Authentication Serviceand create the Azure Active Directory (AD) single sign-on integration.Customize the app name if required while creating the application.
- After the application loads, selectUsers and groups, thenAdd user/grouptoAssignthem to this application.Select the users and groups you want to use the Azure IdP in the Cloud Identity Engine for authentication.Be sure to assign the account you're using so you can test the configuration when it's complete. You may need to refresh the page after adding accounts to successfully complete the test.
- Set up single sign-onthen selectSAML.
- Upload Metadata Fileby browsing to the metadata file that you downloaded from the Cloud Identity Engine app in step 3.c and clickAdd.
- After the metadata uploads, enter your regional endpoint as theSign-on URLusing the following format: https://<RegionUrl>.paloaltonetworks.com/sp/acs (where <RegionUrl> is your regional endpoint).Alternatively, copy the reply URL to the sign on URL.
- Saveyour configuration.
- Configure conditional access policy to enable MFA on selected user groups.
- Go to your application's.OverviewConditional AccessCreate a policy
- Add aNew Policy.
- Enter a name for the policy.
- InUserssection, includeSelect users and groupsand choose your project groups accordingly.
- Verify theTarget resources.
- Select theConditionsthat trigger the policy.
- Grantaccess inAccess ControlsusingRequire multifactor authentication.
- Enable the policy by toggling the selector toOn, andCreatethe conditional access.
- Add your IdP vendor as an authentication type.
- Selectand copy theSingle sign-onSAML CertificatesApp Federation Metadata URL.
- In the Cloud Identity Engine app, select.AuthenticationAuthentication TypesAdd New Authentication Type
- Set Upa SAML 2.0 authentication type.
- UnderConfigure your Identity Provider Profile, enter aProfile Name.
- SelectAzureas yourIDP Vendor.
- EnableMulti-factor Authentication is Enabled on the Identity Provider.
- Test SAML Setupto verify the profile configuration.
- Select the SAML attributes you want Prisma Access to use for authentication.
- EnableDynamic Privilege Access.Ensure to sync the directory you added in step 2 and the SAML app.
- Submitthe IdP profile.
- Add the authentication profile from Cloud Identity Engine to Prisma Access.
- In Strata Cloud Manager, select.ManageConfigurationNGFW and Prisma AccessIdentity ServicesAuthenticationAuthentication ProfilesEnsure to set the configuration scope to theAccess Agentmobile users container.
- Add Profile.
- SelectCloud Identity Engineas yourAuthentication Method.
- Enter aProfile Name.
- Select theProfileyou added in the Cloud Identity Engine app from step 7.
- Savethe changes.
- Attach the authentication to mobile users.
- Launch Prisma Access from your Strata Cloud Manager.
- Select.ManageConfigurationNGFW and Prisma Access
- Set the scope to the project snippet you created, and navigate to.Security ServicesSecurity Policy
- Create a policy to allow traffic only from a particular project DHCP range and that project-based user group.