Cloud Identity Engine Authentication for Explicit Proxy Deployments
Focus
Focus
Prisma Access

Cloud Identity Engine Authentication for Explicit Proxy Deployments

Table of Contents

Cloud Identity Engine Authentication for Explicit Proxy Deployments

Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
  • Prisma Access
    license
Use Cloud Identity Engine to provide both user identification and user authentication for mobile users in a
Prisma Access
—Explicit Proxy deployment.
The Cloud Identity Engine provides user identification and user authentication for a centralized cloud-based solution in on-premise, cloud-based, or hybrid network environments. The Cloud Identity Engine allows you to write security policy based on users and groups and helps secure your networks by enforcing behavior-based security actions.
By continually syncing the information from your directories, whether they are on-premise, cloud-based, or hybrid, ensures that your user information is accurate and up to date and policy enforcement continues based on the mappings even if the cloud identity provider is temporarily unavailable.

Cloud Management

Use the Cloud Authentication (CAS) component of the Cloud Identity Engine to authenticate
Prisma Access
mobile users in a Mobile Users—Explicit Proxy deployment.
The Cloud Identity Engine provides both user identification and user authentication for mobile users in a
Prisma Access
—Explicit Proxy deployment. The Cloud Identity Engine integrates with the Explicit Proxy Authentication Cache Service (ACS) and uses SAML identity providers (IdPs) to provide authentication for Explicit Proxy mobile users.
To configure authentication for a Mobile Users—Explicit Proxy deployment using the Cloud Identity Engine, complete the following steps.
  1. In
    Prisma Access (Cloud Management)
    , set up Explicit Proxyfor your tenant.
    Before you configure Explicit Proxy, be aware of how explicit proxy works and the guidelines to use when you configure it.
    If you have multiple tenants, configure Explicit Proxy for each of your tenants that require it.
  2. Log in to the hub and, from the Cloud Identity Engine app, set up an authentication type and authentication provider.
    You can view apps in the hub by tenant or by support account.
    1. Set up an authentication profile in the Cloud Identity Engine and select the users and groups that can use this authentication method.
      You specify this profile when you create an authentication profile in
      Prisma Access (Cloud Management)
      in a later step.
  3. Return to
    Prisma Access (Cloud Management)
    and create an authentication profile to use with the Cloud Authentication Engine.
    1. Go to
      Manage
      Configuration
      Identity Services
      Authentication
      , set the scope to
      Explicit Proxy
      , and add an authentication profile (
      Add Profile
      ).
      If you're using Strata Cloud Manager, go to
      Manage
      Configuration
      NGFW and
      Prisma Access
      Identity Services
      Authentication
      . Set the configuration scope to
      Explicit Proxy
      , and add an authentication profile (
      Add Profile
      )
    2. Select an
      Authentication Method
      of
      Cloud Identity Engine
      .
    3. Give the profile a
      Profile Name
      .
    4. Select the Cloud Identity Engine Authentication Profile you created in a previous step.
    5. Save
      your changes.
  4. Set up user authentication in Explicit Proxy.
    1. Go to
      Manage
      Service Setup
      Explicit Proxy
      and
      Set Up User Authentication
      .
      If you're using Strata Cloud Manager, go to
      Workflows
      Prisma Access
      Setup
      Explicit Proxy
      and
      Set Up User Authentication
      .
    2. Select an
      Authentication Method
      of
      SAML/CIE
      .
    3. Select the authentication profile you created in Cloud Managed Prisma Access.
    4. Specify a
      Cookie Lifetime
      for the cookie that stores the users’ authentication credentials.
      After the IdP authenticates the user,
      Prisma Access
      stores the authentication state of the user in the Authentication Cache Service (ACS). The validity period of the authentication is based on the Cookie Lifetime value you specify here.
      To prevent issues with users not being able to download large files before the cookie lifetime expires, or the cookie expiring when users are accessing a single website for a long period of time, Palo Alto Networks recommends that you configure a
      Cookie Lifetime
      of at least one day. If Explicit Proxy users have a cookie lifetime expiration issue, they can browse to a different website to re-authenticate to ACS and refresh the ACS cookie.
    5. Save
      your changes.
  5. Verify that the Cloud Identity Engine is successfully authenticating your Explicit Proxy mobile users.
    1. From
      Prisma Access (Cloud Management)
      , select
      Activity
      Log Viewer
      Firewall/Authentication
      .
      If you're using Strata Cloud Manager, go to
      Incidents & Alerts
      Log Viewer
      Firewall/Authentication
      .
    2. View the
      Auth Event
      status.
      If the authentication fails, view the
      Authentication Description
      for more details about the failure.
    3. From the mobile user’s endpoint, use dev tools to view the Cloud Identity Engine authentication flow.

Panorama

Use the Cloud Authentication (CAS) component of the Cloud Identity Engine to authenticate
Prisma Access
mobile users in a Mobile Users—Explicit Proxy deployment.

Recommended For You