>
    Cloud Identity Engine Authentication for Explicit Proxy Deployments
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Mobile Users
    5. Mobile Users: Explicit Proxy
    6. Cloud Identity Engine Authentication for Explicit Proxy Deployments
    Download PDF
    Prisma Access

    Cloud Identity Engine Authentication for Explicit Proxy Deployments

    Table of Contents

    Cloud Identity Engine Authentication for Explicit Proxy Deployments

    Here's how you use Cloud Identity Engine with Prisma Access Explicit Proxy.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • Prisma Access license
    Use Cloud Identity Engine to provide both user identification and user authentication for mobile users in a Prisma Access—Explicit Proxy deployment.
    The Cloud Identity Engine provides user identification and user authentication for a centralized cloud-based solution in on-premise, cloud-based, or hybrid network environments. The Cloud Identity Engine allows you to write security policy based on users and groups and helps secure your networks by enforcing behavior-based security actions.
    By continually syncing the information from your directories, whether they are on-premises, cloud-based, or hybrid, ensures that your user information is accurate and up to date and policy enforcement continues based on the mappings even if the cloud identity provider is temporarily unavailable.

    Cloud Identity Engine Authentication for Explicit Proxy Deployments (Strata Cloud Manager)

    Use the Cloud Authentication (CAS) component of the Cloud Identity Engine to authenticate Prisma Access mobile users in a Mobile Users—Explicit Proxy deployment.
    The Cloud Identity Engine provides both user identification and user authentication for mobile users in a Prisma Access—Explicit Proxy deployment. The Cloud Identity Engine integrates with the Explicit Proxy Authentication Cache Service (ACS) and uses SAML identity providers (IdPs) to provide authentication for Explicit Proxy mobile users.
    To configure authentication for a Mobile Users—Explicit Proxy deployment using the Cloud Identity Engine, complete the following steps.
    1. In Prisma Access (Managed by Strata Cloud Manager), set up Explicit Proxy for your tenant.
      Before you configure Explicit Proxy, be aware of how explicit proxy works and the guidelines to use when you configure it.
      If you have multiple tenants, configure Explicit Proxy for each of your tenants that require it.
    2. Log in to the hub and, from the Cloud Identity Engine app, set up an authentication type and authentication provider.
      You can view apps in the hub by tenant or by support account.
      1. Configure a SAML authentication type in the Cloud Identity Engine.
        The Cloud Identity Engine Getting Started guide has the procedures you need to configure a SAML IdP in the Cloud Identity Engine:
        Do not configure single logout, it is not supported.
      2. Set up an authentication profile in the Cloud Identity Engine and select the users and groups that can use this authentication method.
        You specify this profile when you create an authentication profile in Prisma Access (Managed by Strata Cloud Manager) in a later step.
    3. Return to Prisma Access (Managed by Strata Cloud Manager) and create an authentication profile to use with the Cloud Authentication Engine.
      1. Go to ManageConfigurationNGFW and Prisma AccessIdentity ServicesAuthentication, and set the scope to Explicit Proxy, and add an authentication profile (Add Profile).
      2. Select an Authentication Method of Cloud Identity Engine.
      3. Give the profile a Profile Name.
      4. Select the Cloud Identity Engine Authentication Profile you created in a previous step.
      5. Save your changes.
    4. Set up user authentication in Explicit Proxy.
      1. Go to WorkflowsPrisma Access SetupExplicit Proxy and Set Up User Authentication.
      2. Select an Authentication Method of SAML/CIE.
      3. Select the authentication profile you created in Cloud Managed Prisma Access.
      4. Specify a Cookie Lifetime for the cookie that stores the users’ authentication credentials.
        After the IdP authenticates the user, Prisma Access stores the authentication state of the user in the Authentication Cache Service (ACS). The validity period of the authentication is based on the Cookie Lifetime value you specify here.
        To prevent issues with users not being able to download large files before the cookie lifetime expires, or the cookie expiring when users are accessing a single website for a long period of time, Palo Alto Networks recommends that you configure a Cookie Lifetime of at least one day. If Explicit Proxy users have a cookie lifetime expiration issue, they can browse to a different website to re-authenticate to ACS and refresh the ACS cookie.
      5. Save your changes.
    5. Verify that the Cloud Identity Engine is successfully authenticating your Explicit Proxy mobile users.
      1. From Prisma Access (Managed by Strata Cloud Manager), select Incidents & AlertsLog ViewerFirewall/Authentication.
      2. View the Auth Event status.
        If the authentication fails, view the Authentication Description for more details about the failure.
      3. From the mobile user’s endpoint, use dev tools to view the Cloud Identity Engine authentication flow.

    Cloud Identity Engine Authentication for Explicit Proxy Deployments (Panorama)

    Use the Cloud Authentication (CAS) component of the Cloud Identity Engine to authenticate Prisma Access mobile users in a Mobile Users—Explicit Proxy deployment.
    Authenticate

    © 2025 Palo Alto Networks, Inc. All rights reserved.