Focus

Prisma Access

Cloud Management

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Administration
Version
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Integrations
Incidents & Alerts
Release Notes
Version
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred

Cloud Management

Configure Prisma Access to establish a trust relationship with your Okta IdP for SAML 2.0 authentication of your mobile users.

Use the following procedure to configure a trust relationship between Prisma Access and your Okta IdP:

Enable Mobile Users to Authenticate to Prisma Access.

Complete the steps for defining the Service Provider (SP) settings, including generating or importing the certificate that Prisma Access uses to sign SAML messages that it sends to the identity provider (IdP).

Export the Prisma Access signing certificate so that you can import it onto your IdP.

Log into Okta as an administrator and create and create SAML 2.0 applications for Prisma Access.

Create a new application integration for Prisma Access. Specify the Platform Type as

Web

and the sign-on method as

SAML 2.0

and click

Create

Configure the following application integration options:

Single sign on URL

—Enter the URL for the portal (i.e. https://portal114.gpcloudservice.com:443/SAML20/SP/ACS)

Use this for Recipient URL and Destination URL

—Select this check box.

Allow this app to request other SSO URLs

—Select this check box and add the URLs for all Prisma Access gateways on the list you copied in the

Requestable SSO URLs

field.

Audience URI (SP Entity ID)

—Enter the URL for the portal (i.e. https://portal114.gpcloudservice.com:443/SAML20/SP).

Default RelayState

—Leave blank.

Name ID format

—Select

EmailAddress

Application username

—Select

Okta Username

Select

Show Advanced Settings

and configure these settings:

Allow application to initiate Single Logout

—Select this check box.

Single Logout URL

—Enter https://<Prisma Access-FQDN>
:443/SAML20/SP/SLO

Where <Prisma-Access-FQDN>
is the FQDN you defined for Prisma Access when you set up the environment.

SP Issuer

—Enter the issuer for the service provider.

Signature Certificate

—

Browse

to and then select the SAML signing certificate that you exported from Prisma Access, then click

Upload Certificate

In the ATTRIBUTE STATEMENTS (OPTIONAL) area, specify users, Name formats, and values in Okta Expression Language.

These fields reference, transform and combine attributes to define the Username attribute format to match what you set up on Prisma Access. For example, specify a name format of Basic
and a Value of user.firstName
.

Optionally, in the Group Attribute Statements (Optional) area, create group attribute options.

You can’t use group information that’s retrieved from the SAML assertion in either security policy rules or the GlobalProtect app configuration.

Save the configuration.

Complete the configuration of the SAML 2.0 web application in Okta and enable the users to use the application. Click

View Setup Instructions

for details.

To download the metadata files for the portal and gateways, click

Identity Provider metadata

and copy that information.

Import the metadata file and the CA certificate from Okta into Prisma Access.

Workflows

Prisma Access Setup

Mobile Users

. Select

GlobalProtect Setup

Explicit Proxy Setup

and edit the

User Authentication

configuration.

SAML IdP Profile

click

Add SAML IdP Profile

and

Import

the metadata file you exported from the Okta server.

Save

the IdP profile.

Prisma Access Docs

Cloud Management

Prisma Access Docs

Cloud Management

Recommended For You

Activation & Onboarding

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner