>
    Authorize User Group Mapping in Cloud Identity Engine for Dynamic Privilege Access
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Configure Dynamic Privilege Access Settings
    4. Authorize User Group Mapping in Cloud Identity Engine for Dynamic Privilege Access
    Download PDF
    Prisma Access

    Authorize User Group Mapping in Cloud Identity Engine for Dynamic Privilege Access

    Table of Contents

    Authorize User Group Mapping in Cloud Identity Engine for Dynamic Privilege Access

    Where Can I Use This?
    What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Minimum Required
      Prisma Access
       Version: 5.1
    • Role: Superuser
    Before you begin, make sure that you have completed the following prerequisites:
    • Contact your Palo Alto Networks account representative to activate the Dynamic Privilege Access functionality.
    • Activate the Cloud Identity Engine and create your first tenant.
    • Set up the Cloud Identity Engine.
    In this workflow, we have used Azure as the IdP. You can also use Okta as your IdP.
    1. From Strata Cloud Manager, open the Cloud Identity Engine app associated with your tenant.
    2. Add an Azure directory or an Okta directory as IdP for mobile users.
    3. Download the SP Metadata in the Cloud Identity Engine app.
      1. Go to
        Authentication
        Authentication Types
        Add New Authentication Type
        .
      2. Set Up
         a SAML 2.0 authentication type.
        Select
        Dynamic service provider metadata
        .
      3. Download SP Metadata
        .
      4. Log in to the Azure Portal and select
        Azure Active Directory
        .
        Make sure you complete all the necessary steps in the Azure portal.
        If you have more than one directory,
        Switch directory
         to select the directory you want to use with the Cloud Identity Engine.
      5. Select
        Enterprise applications
         and click
        New application
        .
      6. Search for
        Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service
         and create the Azure Active Directory (AD) single sign-on integration.
        Customize the app name if required while creating the application.
      7. After the application loads, select
        Users and groups
        , then
        Add user/group
         to
        Assign
         them to this application.
        Select the users and groups you want to use the Azure IdP in the Cloud Identity Engine for authentication.
        Be sure to assign the account you're using so you can test the configuration when it's complete. You may need to refresh the page after adding accounts to successfully complete the test.
      8. Set up single sign-on
         then select
        SAML
        .
      9. Upload Metadata File
         by browsing to the metadata file that you downloaded from the Cloud Identity Engine app in step 3.c and click
        Add
        .
      10. After the metadata uploads, enter your regional endpoint as the
        Sign-on URL
         using the following format: https://<RegionUrl>.paloaltonetworks.com/sp/acs (where <RegionUrl> is your regional endpoint).
        Alternatively, copy the reply URL to the sign on URL.
      11. Save
         your configuration.
    4. Configure conditional access policy to enable MFA on selected user groups.
      1. Go to your application's
        Overview
        Conditional Access
        Create a policy
        .
      2. Add a
        New Policy
        .
      3. Enter a name for the policy.
      4. In
        Users
         section, include
        Select users and groups
         and choose your project groups accordingly.
      5. Verify the
        Target resources
        .
      6. Select the
        Conditions
         that trigger the policy.
      7. Grant
         access in
        Access Controls
         using
        Require multifactor authentication
        .
      8. Enable the policy by toggling the selector to
        On
        , and
        Create
         the conditional access.
    5. Add your IdP vendor as an authentication type.
      1. Select
        Single sign-on
        SAML Certificates
         and copy the
        App Federation Metadata URL
        .
      2. In the Cloud Identity Engine app, select
        Authentication
        Authentication Types
        Add New Authentication Type
        .
      3. Set Up
         a SAML 2.0 authentication type.
      4. Under
        Configure your Identity Provider Profile
        , enter a
        Profile Name
        .
      5. Select
        Azure
         as your
        IDP Vendor
        .
      6. Select
        Get URL
        , paste the URL from step 5.a, and
        Get URL
         to get the metadata.
      7. Enable
        Multi-factor Authentication is Enabled on the Identity Provider
        .
      8. Test SAML Setup
         to verify the profile configuration.
      9. Select the SAML attributes you want Prisma Access to use for authentication.
      10. Enable
        Dynamic Privilege Access
        .
        Ensure to sync the directory you added in step 2 and the SAML app.
      11. Submit
         the IdP profile.
    6. Repeat steps from 3 to 5 to configure the SAML app for user groups that don't require MFA.
      Don't enable MFA in step 5.g for user groups that don't require MFA.
    7. Add an authentication profile for MFA user groups and non-MFA user groups.
      1. Select
        Authentication
        Authentication Profiles
        Add Authentication Profile
        .
      2. Enter a
        PROFILE NAME
        .
      3. Select an
        Authentication Mode
        .
      4. Select the
        Authentication Type
         from step 5 or 6, based on the user groups requiring MFA, and
        Submit
        .
    8. Add the authentication profile from Cloud Identity Engine to Prisma Access.
      1. In Strata Cloud Manager, select
        Manage
        Configuration
        NGFW and Prisma Access
        Identity Services
        Authentication
        Authentication Profiles
        .
        Ensure to set the configuration scope to the
        Access Agent
         mobile users container.
      2. Add Profile
        .
      3. Select
        Cloud Identity Engine
         as your
        Authentication Method
        .
      4. Enter a
        Profile Name
        .
      5. Select the
        Profile
         you added in the Cloud Identity Engine app from step 7.
      6. Save
         the changes.
    9. Attach the authentication to mobile users.
      1. Launch Prisma Access from your Strata Cloud Manager.
      2. Select
        Manage
        Configuration
        NGFW and Prisma Access
        .
      3. Set the scope to the project snippet you created, and navigate to
        Security Services
        Security Policy
        .
      4. Create a policy to allow traffic only from a particular project DHCP range and that project-based user group.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.