>
    Strata Copilot
    Configure Secure Agentless Access Settings
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Secure Agentless Access
    5. Configure Secure Agentless Access Settings
    Download PDF
    Prisma Access

    Configure Secure Agentless Access Settings

    Table of Contents

    Configure Secure Agentless Access Settings

    Learn how to set up general Secure Agentless Access settings such as enabling SAA and selecting the Cloud Identity Engine directory and authentication profile.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access 5.2.1
    • Minimum Prisma Access dataplane version: 11.2.4
    • Prisma Access license with a Mobile User subscription
    • Secure Agentless Access add-on license
    To begin to onboard your users for Secure Agentless Access (SAA), you need to configure general SAA settings such as enabling SAA and selecting the Cloud Identity Engine directory and authentication profile to use with SAA.
    Before you configure the SAA settings, be sure to complete the following prerequisites:
    • Create your first tenant and activate the Cloud Identity Engine.
    • Review the Cloud Identity Engine directory and authentication profile settings. You can use existing Cloud Identity Engine configurations for directory and authentication profiles. SAA supports only SAML 2.0 authentication with the Cloud Identity Engine.
    • Make sure that you have a DNS server accessible via the Service Connection that can resolve the hostnames of the RDP, SSH, and VNC apps.
    • Configure at least one GlobalProtect Mobile User connection method, and select at least one Prisma Access location to support mobile users.
    • Activate the add-on license for SAA by clicking the activation link in the email you received from Palo Alto Networks.
    To configure SAA settings:
    1. Navigate to the SAA Overview page.
      • For Prisma Access (Managed by Strata Cloud Manager):
        1. Log in to Strata Cloud Manager as the administrator.
        2. Select ConfigurationSecure Agentless AccessOverview.
      • For Prisma Access (Managed by Panorama):
        1. Launch Secure Agentless Access from the Cloud Services plugin on Panorama by selecting PanoramaCloud ServicesSecure Agentless Access.
        2. Click Get Started.
        3. Select ConfigurationSecure Agentless AccessOverview.
    2. Edit the SAA settings.
      The SAA Overview page shows the status of your SAA deployment, such as the Cloud Identity Engine directory and authentication profile settings, and the locations where SAA will be deployed.
    3. Enable SAA by enabling Enable/Disable Secure Agentless Access.
    4. Set up user authentication for Secure Agentless Access (SAA) so that only authorized users can remotely log in to the SAA to access their apps. SAA works with the Cloud Identity Engine to authenticate users using identity providers like the Active Directory (AD) service and to retrieve the user-group mapping from the AD service.
      1. Select the CIE Directory from which to retrieve the user-group mapping.
      2. Select a CIE Authentication Profile, which is the SAML authentication profile that validates the login credentials of end users who access SAA.
    5. Save your settings.

    © 2026 Palo Alto Networks, Inc. All rights reserved.