Prisma Access
Cloud Identity Engine Authentication for Explicit Proxy Deployments
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Cloud Identity Engine Authentication for Explicit Proxy Deployments
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Use Cloud Identity Engine to provide both user
identification and user authentication for mobile users in a
Prisma Access
—Explicit
Proxy deployment.The Cloud Identity Engine provides user identification and user authentication for a
centralized cloud-based solution in on-premise, cloud-based, or hybrid network
environments. The Cloud Identity Engine allows you to write security policy based on
users and groups and helps secure your networks by enforcing behavior-based security
actions.
By continually syncing the information from your directories, whether they are
on-premise, cloud-based, or hybrid, ensures that your user information is accurate and
up to date and policy enforcement continues based on the mappings even if the cloud
identity provider is temporarily unavailable.
Cloud Management
Cloud Management
Use the Cloud Authentication (CAS) component of the Cloud Identity Engine to
authenticate
Prisma Access
mobile users in a Mobile Users—Explicit Proxy deployment. The Cloud Identity Engine provides both user
identification and user authentication for mobile users in a
Prisma Access
—Explicit
Proxy deployment. The Cloud Identity Engine integrates with the Explicit Proxy Authentication Cache Service (ACS) and
uses SAML identity providers (IdPs) to provide authentication for Explicit Proxy
mobile users. To configure authentication for a Mobile Users—Explicit Proxy deployment using the
Cloud Identity Engine, complete the following steps.
- InPrisma Access (Cloud Management), set up Explicit Proxyfor your tenant.Before you configure Explicit Proxy, be aware of how explicit proxy works and the guidelines to use when you configure it.If you have multiple tenants, configure Explicit Proxy for each of your tenants that require it.
- Log in to the hub and, from the Cloud Identity Engine app, set up an authentication type and authentication provider.You can view apps in the hub by tenant or by support account.
- Configure a SAML authentication type in the Cloud Identity Engine.The Cloud Identity Engine Getting Started guide has the procedures you need to configure a SAML IdP in the Cloud Identity Engine:Do not configure single logout, it is not supported.
- Set up an authentication profile in the Cloud Identity Engine and select the users and groups that can use this authentication method.You specify this profile when you create an authentication profile inPrisma Access (Cloud Management)in a later step.
- Return toPrisma Access (Cloud Management)and create an authentication profile to use with the Cloud Authentication Engine.
- Go to, set the scope toManageConfigurationIdentity ServicesAuthenticationExplicit Proxy, and add an authentication profile (Add Profile).If you're using Strata Cloud Manager, go to. Set the configuration scope toManageConfigurationNGFW andPrisma AccessIdentity ServicesAuthenticationExplicit Proxy, and add an authentication profile (Add Profile)
- Select anAuthentication MethodofCloud Identity Engine.
- Give the profile aProfile Name.
- Select the Cloud Identity Engine Authentication Profile you created in a previous step.
- Saveyour changes.
- Set up user authentication in Explicit Proxy.
- Go toandManageService SetupExplicit ProxySet Up User Authentication.If you're using Strata Cloud Manager, go toandWorkflowsPrisma AccessSetupExplicit ProxySet Up User Authentication.
- Select anAuthentication MethodofSAML/CIE.
- Select the authentication profile you created in Cloud Managed Prisma Access.
- Specify aCookie Lifetimefor the cookie that stores the users’ authentication credentials.After the IdP authenticates the user,Prisma Accessstores the authentication state of the user in the Authentication Cache Service (ACS). The validity period of the authentication is based on the Cookie Lifetime value you specify here.To prevent issues with users not being able to download large files before the cookie lifetime expires, or the cookie expiring when users are accessing a single website for a long period of time, Palo Alto Networks recommends that you configure aCookie Lifetimeof at least one day. If Explicit Proxy users have a cookie lifetime expiration issue, they can browse to a different website to re-authenticate to ACS and refresh the ACS cookie.
- Saveyour changes.
- Verify that the Cloud Identity Engine is successfully authenticating your Explicit Proxy mobile users.
- FromPrisma Access (Cloud Management), select.ActivityLog ViewerFirewall/AuthenticationIf you're using Strata Cloud Manager, go to.Incidents & AlertsLog ViewerFirewall/Authentication
- View theAuth Eventstatus.If the authentication fails, view theAuthentication Descriptionfor more details about the failure.
- From the mobile user’s endpoint, use dev tools to view the Cloud Identity Engine authentication flow.
Panorama
Panorama
Use the Cloud Authentication (CAS) component of the Cloud Identity Engine to
authenticate
Prisma Access
mobile users in a Mobile Users—Explicit Proxy deployment.