Authentication Support and Features

If your users access services and applications that are external to your network, you can use SAML to integrate Prisma Access with an identity provider (IdP) that controls access to both external and internal services and applications. SAML single sign-on (SSO) enables one login to access multiple applications, and is helpful in environments where each user accesses many applications and authenticating for each one would impede user productivity. In this case, SAML single sign-on (SSO) enables one login to access multiple applications. Likewise, SAML single logout (SLO) enables a user to end sessions for multiple applications by logging out of just one session. SSO works for mobile users who access applications through the GlobalProtect app or users at remote networks that access applications through the Authentication Portal. SLO is available to GlobalProtect app users.

Terminal Access Controller Access-Control System Plus (TACACS+) is a family of protocols that enable authentication and authorization through a centralized server. TACACS+ encrypts usernames and passwords, making it more secure than RADIUS, which encrypts only passwords. TACACS+ is also more reliable because it uses TCP, whereas RADIUS uses UDP.

Remote Authentication Dial-In User Service (RADIUS) is a broadly supported networking protocol that provides centralized authentication and authorization. You can also add a RADIUS server to Prisma Access to implement multi-factor authentication.

Lightweight Directory Access Protocol (LDAP) is a standard protocol for accessing information directories. You can use LDAP to authenticate users who access applications or services through Authentication Portal.

Kerberos is an authentication protocol that enables a secure exchange of information between parties using unique keys (called tickets) to identify the parties. With Kerberos, you can authenticate users who access applications through the Authentication Portal. With Kerberos SSO enabled, the user needs to log in only for initial access to your network (such as logging in to Microsoft Windows). After this initial login, the user can access any browser-based service in the network without having to log in again until the SSO session expires.

To use Kerberos, you first need a a Kerberos account for Prisma Access that will authenticate users. An account is required to create a Kerberos keytab, which is a file that contains the principal name and hashed password of the firewall or Panorama. The SSO process requires the keytab.

Kerberos SSO is available only for services and applications that are internal to your Kerberos environment. To enable SSO for external services and applications, use SAML.

Muti-factor authentication (MFA) gives you a way to implement multiple authentication challenges of different types (these are called factors) to protect your most sensitive services and applications. For example, you might want stronger authentication for key financial documents than for search engines.

Prisma Access has a built-in list of supported MFA vendors, that’s automatically updated as new vendors are added: