This section describes integration procedures you perform to integrate Prisma Access with
the Cloud identity Engine and Microsoft Entra ID (formerly Azure Active Directory (Azure AD)).
The Cloud Identity Engine provides both user
identification and user authentication for mobile user deployments. Using the Cloud
Identity Engine for user authentication and username-to-user group mapping allows you to
write security policy based on users and groups, not IP addresses, and helps secure your
assets by enforcing behavior-based security actions. By continually syncing the
information from your directories, the Cloud Identity Engine ensures that your user
information is accurate and up to date and policy enforcement continues based on the
mappings even if the SAML identity provider (IdP) is temporarily unavailable.
The Cloud Identity Engine has two components to provide authentication and enforcement of
user- and group-based policy:
The Cloud Authentication Service component allows you to authenticate mobile
users in a Prisma Access deployment. You configure a SAML identity IdP during
configuration of the Cloud Identity Engine to use with the Cloud Authentication
Service.
The Directory Sync component provides username-to-user group mapping for the
authenticated user. You can use this mapping to enforce user- and group-based
policy in Prisma Access.
Prerequisites
Before you begin, make sure that you have completed the following prerequisites:
Activate the Cloud Identity Engine
and create your first tenant.
To configure SAML authentication in Microsoft Entra ID, you must register your Prisma
Access deployment with Microsoft Entra ID. Microsoft Entra ID authentication is supported with
Prisma Access GlobalProtect and Explicit Proxy deployments.
