Configure Mobile Users using Cloud Identity Engine (Recommended) (Strata Cloud Manager)

Table of Contents

You first configure SAML in Microsoft Entra ID (formerly Azure Active Directory (Azure AD), then import the metadata XML file (the file that contains SAML registration information) from Microsoft Entra ID and upload it to a SAML Identity Provider you create in Prisma Access. You then create an Authentication Profile that references the IdP server profile, add the authentication profile into the Explicit Proxy or GlobalProtect configuration, and commit and push your changes.

If you are a GlobalProtect mobile user, upgrade your GlobalProtect app to 6.0 version or to a later version.

From Prisma Access, open the Cloud Identity Engine app associated with your tenant.
1. Go to Prisma AccessTenants and ServicesCloud Identity Engine.
Download the SP Metadata in the Cloud Identity Engine app.
1. Go to AuthenticationAuthentication TypesAdd New.
2. Set Up a SAML 2.0 authentication type.
3. Download SP Metadata.
4. Log in to the Azure Portal and select Microsoft Entra ID.
  
  Make sure you complete all the necessary steps in the Azure portal.
  
  If you have more than one directory, Switch directory to select the directory you want to use with the Cloud Identity Engine.
5. Select Enterprise applications and click New application.
6. Search for Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service and create the Microsoft Entra ID single-sign on integration.
  
  Customize the app name if required while creating the application.
7. After the application loads, select Users and groups, then Add user/group to Assign them to this application.
  
  Select the users and groups you want to have use the Azure IdP in the Cloud Identity Engine for authentication.
  
  Be sure to assign the account you are using so you can test the configuration when it is complete. You may need to refresh the page after adding accounts to successfully complete the test.
8. Set up single sign-on then select SAML.
9. Upload Metadata File by browsing to the metadata file that you downloaded from the Cloud Identity Engine app in step
  2.c
  and click Add.
10. After the metadata uploads, enter your regional endpoint as the Sign-on URL using the following format: https://<RegionUrl>.paloaltonetworks.com/sp/acs (where <RegionUrl> is your regional endpoint).
  
  Alternatively, copy the reply URL to the sign on URL.
11. Save your configuration.
12. Download the Federation Metadata XML under SAML Certificates.
Add Azure as an authentication type in the Cloud Identity Engine app.
1. In Cloud Identity Engine app, select AuthenticationAuthentication TypesAdd New.
2. Set Up a SAML 2.0 authentication type.
3. Enter a Profile Name.
4. Select Azure as your IDP Vendor.
5. Upload Metadata from step
  2.l
  to Add Metadata.
6. Click to Upload.
7. Test SAML Setup to verify the profile configuration.
8. Select the SAML attributes you want Prisma Access to use for authentication and Submit the IdP profile.
Add an authentication profile.
1. Select AuthenticationAuthentication ProfilesAdd Authentication Profile.
2. Enter a PROFILE NAME.
3. Select an Authentication Mode.
4. Select the Authentication Type from step
  3
  and Submit.
Add the authentication profile from Cloud Identity Engine to Prisma Access.
1. In Prisma Access, select ManageConfigurationIdentity ServicesAuthenticationAuthentication Profiles.
  
  Ensure to set the scope to GlobalProtect or Explicit Proxy mobile users.
2. Add Profile.
3. Select Cloud Identity Engine as your Authentication Method.
4. Enter a Profile Name.
5. Select the Profile you added in the Cloud Identity Engine app from step
  4
  .
6. Save the changes.
Attach the authentication to mobile users.
- For GlobalProtect mobile users
1. Select ManageService SetupGlobalProtectInfrastructureAdd Authentication.
2. Select all required fields and the Profile you added to Prisma Access in step
  5
  .
3. Save the changes.
4. Move the authentication to the top of the list to prioritize it.
- For explicit proxy mobile users
1. Select ManageService SetupExplicit Proxy.
2. Edit the User Authentication settings.
3. Create New profile.
4. Select the Cloud Identity Engine authentication method.
5. Enter a profile name.
6. Select the Profile you added to Prisma Access in step
  5
  .
7. Save the changes.
8. Move the authentication to the top of the list to prioritize it.
(For GlobalProtect mobile users only) Edit the default browser settings for the GlobalProtect app.
1. Select the Default app settings.
2. Go to App ConfigurationShow Advanced OptionsAuthentication.
3. Select the Use Default Browser for SAML Authentication.
4. Save the changes.
Push the changes.
(Optional) Verify the user authentication.
- For GlobalProtect mobile users
1. Log in to a Windows machine and connect to the GlobalProtect app.
  
  The default browser takes you to SAML authentication.
2. Enter the credentials and sign in.
3. View Settings in the GlobalProtect app to see the connection details.
4. Log in to Prisma Access and select ActivityLogsLog Viewer.
  
  You can see that the authentication is successful.
- For explicit proxy mobile users
1. Copy the PAC file URL to the endpoint.
  
  Go to ManageService SetupExplicit ProxyInfrastructure Settings to view the PAC file URL.
2. Log in to a Windows machine.
3. Edit the Proxy Settings and paste the PAC file URL to the Script Address.
4. Access a URL that requires authentication.
5. Enter the credentials.
6. In Prisma Access, view the user mapping information by running the show user ip-user-mapping all command.
7. (Optional) In Strata Cloud Manager, select InsightsActivity InsightsUsers.
  
  View details about mobile users connected for a time range you select.