>
    Configure Mobile Users using Cloud Identity Engine (Recommended)
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Microsoft Integrations with Prisma Access
    4. Azure AD SAML Authentication for Mobile User Deployments
    5. Configure Mobile Users using Cloud Identity Engine (Recommended)
    Download PDF
    Prisma Access

    Configure Mobile Users using Cloud Identity Engine (Recommended)

    Table of Contents

    Configure Mobile Users using Cloud Identity Engine (Recommended)

    Where Can I Use This?
    What Do I Need?
    • Prisma Access (Cloud Management)
    • Prisma Access (Panorama Managed)
    • Minimum Required Prisma Access Version
       4.0 Preferred
    Cloud Identity Engine (Directory Sync) gives Prisma Access read-only access to your Active Directory information, so that you can easily set up and manage security and decryption policies for users and groups. Cloud Identity Engine works with both on-premises Active Directory and Azure Active Directory. Prisma Access retrieves user and group information from your organization’s cloud directory or Active Directory (AD), to enforce user- and group-based policy. Optionally, Prisma Access retrieves user behavior-based risk signals from some cloud directory vendors, such as Azure Active Directory, to enforce automated security actions. In addition to simplifying user and group information retrieval, integrating the Cloud Identity Engine with Prisma Access can free up the bandwidth and load on your cloud directory or AD. To set up Cloud Identity Engine with Prisma Access, start by going to the hub to activate Cloud Identity Engine and add it to Prisma Access. Then go to Prisma Access to validate that Prisma Access is able to access directory data.

    Cloud Management

    You first configure SAML in Azure AD, then import the metadata XML file (the file that contains SAML registration information) from Azure AD and upload it to a
    SAML Identity Provider
     you create in Prisma Access. You then create an
    Authentication Profile
     that references the IdP server profile, add the authentication profile into the Explicit Proxy or GlobalProtect configuration, and commit and push your changes.
    If you are a GlobalProtect mobile user, upgrade your GlobalProtect app to 6.0 version or to a later version.
    1. From Prisma Access, open the Cloud Identity Engine app associated with your tenant.
      1. Go to
        Prisma Access
        Tenants and Services
        Cloud Identity Engine
        .
    2. Download the SP Metadata in the Cloud Identity Engine app.
      1. Go to
        Authentication
        Authentication Types
        Add New
        .
      2. Set Up
         a SAML 2.0 authentication type.
      3. Download SP Metadata
        .
      4. Log in to the Azure Portal and select
        Azure Active Directory
        .
        Make sure you complete all the necessary steps in the Azure portal.
        If you have more than one directory,
        Switch directory
         to select the directory you want to use with the Cloud Identity Engine.
      5. Select
        Enterprise applications
         and click
        New application
        .
      6. Search for
        Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service
         and create the Azure AD single-sign on integration.
        Customize the app name if required while creating the application.
      7. After the application loads, select
        Users and groups
        , then
        Add user/group
         to
        Assign
         them to this application.
        Select the users and groups you want to have use the Azure IdP in the Cloud Identity Engine for authentication.
        Be sure to assign the account you are using so you can test the configuration when it is complete. You may need to refresh the page after adding accounts to successfully complete the test.
      8. Set up single sign-on
         then select
        SAML
        .
      9. Upload Metadata File
         by browsing to the metadata file that you downloaded from the Cloud Identity Engine app in step 2.c and click
        Add
        .
      10. After the metadata uploads, enter your regional endpoint as the
        Sign-on URL
         using the following format: https://<RegionUrl>.paloaltonetworks.com/sp/acs (where <RegionUrl> is your regional endpoint).
        Alternatively, copy the reply URL to the sign on URL.
      11. Save
         your configuration.
      12. Download
         the
        Federation Metadata XML
         under
        SAML Certificates
        .
    3. Add Azure as an authentication type in the Cloud Identity Engine app.
      1. In Cloud Identity Engine app, select
        Authentication
        Authentication Types
        Add New
        .
      2. Set Up
         a SAML 2.0 authentication type.
      3. Enter a
        Profile Name
        .
      4. Select
        Azure
         as your
        IDP Vendor
        .
      5. Upload Metadata
         from step 2.l to
        Add Metadata
        .
      6. Click to Upload
        .
      7. Test SAML Setup
         to verify the profile configuration.
      8. Select the SAML attributes you want Prisma Access to use for authentication and
        Submit
         the IdP profile.
    4. Add an authentication profile.
      1. Select
        Authentication
        Authentication Profiles
        Add Authentication Profile
        .
      2. Enter a
        PROFILE NAME
        .
      3. Select an
        Authentication Mode
        .
      4. Select the
        Authentication Type
         from step 3 and
        Submit
        .
    5. Add the authentication profile from Cloud Identity Engine to Prisma Access.
      1. In Prisma Access, select
        Manage
        Configuration
        Identity Services
        Authentication
        Authentication Profiles
        .
        Ensure to set the scope to
        GlobalProtect
         or
        Explicit Proxy
         mobile users.
      2. Add Profile
        .
      3. Select
        Cloud Identity Engine
         as your
        Authentication Method
        .
      4. Enter a
        Profile Name
        .
      5. Select the
        Profile
         you added in the Cloud Identity Engine app from step 4.
      6. Save
         the changes.
    6. Attach the authentication to mobile users.
      • For GlobalProtect mobile users
      1. Select
        Manage
        Service Setup
        GlobalProtect
        Infrastructure
        Add Authentication
        .
      2. Select all required fields and the
        Profile
         you added to Prisma Access in step 5.
      3. Save
         the changes.
      4. Move the authentication to the top of the list to prioritize it.
      • For explicit proxy mobile users
      1. Select
        Manage
        Service Setup
        Explicit Proxy
        .
      2. Edit the
        User Authentication
         settings.
      3. Create New
         profile.
      4. Select the
        Cloud Identity Engine
         authentication method.
      5. Enter a profile name.
      6. Select the
        Profile
         you added to Prisma Access in step 5.
      7. Save
         the changes.
      8. Move the authentication to the top of the list to prioritize it.
    7. (
      For GlobalProtect mobile users only
      ) Edit the default browser settings for the GlobalProtect app.
      1. Select the
        Default
         app settings.
      2. Go to
        App Configuration
        Show Advanced Options
        Authentication
        .
      3. Select the
        Use Default Browser for SAML Authentication
        .
      4. Save
         the changes.
    8. Push
       the changes.
    9. (
      Optional
      ) Verify the user authentication.
      • For GlobalProtect mobile users
      1. Log in to a Windows machine and connect to the GlobalProtect app.
        The default browser takes you to SAML authentication.
      2. Enter the credentials and sign in.
      3. View
        Settings
         in the GlobalProtect app to see the connection details.
      4. Log in to Prisma Access and select
        Activity
        Logs
        Log Viewer
        .
        You can see that the authentication is successful.
      • For explicit proxy mobile users
      1. Copy the PAC file URL to the endpoint.
        Go to
        Manage
        Service Setup
        Explicit Proxy
        Infrastructure Settings
         to view the PAC file URL.
      2. Log in to a Windows machine.
      3. Edit the
        Proxy Settings
         and paste the PAC file URL to the
        Script Address
        .
      4. Access a URL that requires authentication.
      5. Enter the credentials.
      6. In Prisma Access, view the user mapping information by running the
        show user ip-user-mapping all
         command.
      7. (
        Optional
        ) In Prisma Access, select
        Insights
        Mobile Users - Explicit Proxy
        .
        View details about mobile users connected for a time range you select.

    Panorama

    The Cloud Identity Engine provides both user identification and user authentication for mobile users in a Prisma Access—GlobalProtect deployment. Using the Cloud Identity Engine for user authentication and username-to-user group mapping allows you to write security policy based on users and groups, not IP addresses, and helps secure your assets by enforcing behavior-based security actions. By continually syncing the information from your directories, the Cloud Identity Engine ensures that your user information is accurate and up to date and policy enforcement continues based on the mappings even if the SAML identity provider (IdP) is temporarily unavailable.

    GlobalProtect Mobile Users

    Use the Cloud Authentication (CAS) component of the Cloud Identity Engine to authenticate Prisma Access mobile users in a Mobile Users—GlobalProtect deployment.
    This functionality is only available for Panorama Managed Prisma Access 3.0 Innovation and later Innovation deployments.
    The Cloud Identity Engine has two components to provide authentication and enforcement of user- and group-based policy:
    • The
      Cloud Authentication Service
       component allows you to authenticate mobile users in a Prisma Access—GlobalProtect deployment. You configure a SAML identity IdP during configuration of the Cloud Identity Engine to use with the Cloud Authentication Service.
    • The
      Directory Sync
       component provides username-to-user group mapping for the authenticated user. You can use this mapping to enforce user- and group-based policy in Prisma Access.
    To configure the Cloud Authentication Service to authenticate GlobalProtect mobile users, you must have the following minimum required product and software versions:
    • A minimum Prisma Access version of 3.0 Innovation or a later Innovation version, which requires a dataplane version of 10.1.
      To verify your dataplane version, select
      Panorama
      Cloud Services
      Configuration
      Service Setup
       and view the
      Current Dataplane version
       in the
      DataPlane PAN-OS version
       area.
      If your dataplane is running 10.1, you are running the Prisma Access 3.0 Innovation or later Innovation release and can use the Cloud Identity Engine to authenticate GlobalProtect mobile users. If your dataplane is running 10.0, you are running a Prisma Access Preferred release and you cannot authenticate mobile users with the Cloud Identity Engine.
    • A minimum GlobalProtect app version of 6.0.
    • A SAML IdP provider that is supported with the Cloud Identity Engine.
      Prisma Access supports all IdP providers that are supported by the Cloud Identity Engine, including Azure, Okta, PingOne, PingFederate, and Google.
    • A minimum Panorama version of 10.1.
    To configure authentication for a mobile users using the Cloud Authentication Engine, complete the following steps.
    1. Install the device certificate on the Panorama that manages Prisma Access.
      You must generate a one-time password (OTP) and retrieve the device certificate to successfully authenticate Panorama with the Cloud Identity Engine.
      1. Log into the Customer Support Portal to generate the One Time Password (OTP).
      2. Select
        Assets
        Device Certificates
         and
        Generate OTP
        .
      3. For the
        Device Type
        , select
        Generate OTP for Panorama
         and
        Generate OTP
        .
      4. Select the
        Panorama Device
         serial number.
      5. Generate OTP and copy the OTP.
         and copy the OTP.
      6. From the Panorama that manages Prisma Access, select
        Panorama
        Setup
        Management
        Device Certificate Settings
         and
        Get certificate
        .
        When you have successfully installed the certificate, the
        Current Device Certificate Status
         (
        Panorama
        Setup
        Management
        Device Certificate
        ) displays as
        Valid
        .
    2. Activate the Cloud Identity Engine if you have not yet done so to create your first instance.
      2. Activate
         the Cloud Identity Engine.
        If the Activate button is not available, ensure that your role has the necessary privileges.
      3. Enter the information for your Cloud Identity Engine instance.
        • Select the
          Company Account
           for the instance.
        • Specify a
          Name
           to identify the instance.
        • (
          Optional
          ) Enter a
          Description
           to provide more information about the Cloud Identity Engine instance (for example, details about the instance’s purpose).
        • Select a
          Region
          .
          Make a note of the region you selected; you use that region when you activate the Cloud Identity Engine in a later step.
        • Agree to the
          EULA
          .
      4. Agree & Activate
         the instance.
      5. On the Activation Details page, select the hub in the upper left.
      6. The
        Cloud Identity Engine
         displays.
    3. (
      Optional
      ) If you require a separate instance for Explicit Proxy, configure a Cloud Identity Engine Instance.
      If you want to isolate your Explicit Proxy directory data, or allow different Palo Alto Networks cloud applications and services to access different sets of directory data, you can create a Cloud Identity Engine instance specifically for Explicit Proxy.
      When you select a
      Region
      , select the same region you used when you activated the Cloud Identity Engine.
    4. From the Cloud Identity Engine app, configure a SAML IdP in the Cloud Identity Engine.
      The Cloud Identity Engine Getting Started guide has the procedures you need to configure a SAML IdP in the Cloud Identity Engine:
      Use the following values in the when configuring Explicit Proxy authentication in your IdP:
      • Single sign on URL:
        global.acs.prismaaccess.com
      • SAML Assertion Consumer Service URL:
        https://global.acs.prismaaccess.com/saml/acs
      • Entity ID URL:
        https://global.acs.prismaaccess.com/saml/metadata
    5. Configure an authentication profile to use with the Cloud Authentication Service.
      Be sure that you are in the
      Mobile_User_Template
      . By setting up an authentication profile in Panorama, you can redirect GlobalProtect mobile users to the IdP you configure for authentication.
    6. Change the pre-deployed settings on mobile users’ Windows, macOS, Linux, Android, and iOS endpoints to use the default system browser for SAML authentication.
      You must set the pre-deployed settings on the client endpoints before you can enable the default system browser for SAML authentication. GlobalProtect retrieves these entries only once, when the GlobalProtect app initializes.
      If there is no pre-deployed value specified on the end users’ Windows or macOS endpoints when using the default system browser for SAML authentication, the
      Use Default Browser for SAML Authentication
       option is set to
      Yes
       in the portal configuration, and users upgrade the app from release 5.0.x or release 5.1.x to release 5.2.0 for the first time, the app will open an embedded browser instead of the default system browser. After users connect to the GlobalProtect app and the
      Use Default Browser for SAML Authentication
       option is set to
      Yes
       in the portal configuration, the app will open the default system browser on Windows and macOS endpoints at the next login.
      If the
      default browser
       value is set to
      Yes
       in the pre-deployed setting of the client machine and the
      Use Default Browser for SAML Authentication
       option is set to
      No
       in the portal configuration, end users will not have the best user experience. The app will open the default system browser for SAML authentication for the first time. Because the default browser values differ between the client machine and the portal, the app detects a mismatch and opens an embedded browser at the next login.
      The
      Use Default Browser for SAML Authentication
       option of the GlobalProtect portal and the pre-deployed settings in the client machine must have the same value to provide the best user experience.
      • On Windows endpoints, you can use the System Center Configuration Manager (SCCM) to pre-deploy the GlobalProtect app 5.2 and set the
        DEFAULTBROWSER
         value to
        yes
         from the Windows Installer (Msiexec) using the following syntax:
        msiexec.exe /i GlobalProtect.msi DEFAULTBROWSER=YES
      • On macOS endpoints, set the
        default-browser
         value to
        yes
         in the macOS plist (
        /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
        ) for the GlobalProtect app using the following syntax: 
        sudo defaults write /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist ’{"Palo Alto Networks" ={GlobalProtect={Settings={default-browser=yes;};};};}’
        You must specify the plist key to launch the default system browser for SAML authentication after GlobalProtect app 5.2 is installed.
        After you add the plist key, you must restart the GlobalProtect app in order for the plist key to take effect. After you restart the GlobalProtect app, the default system browser for SAML authentication launches. To restart the GlobalProtect app:
        • Launch the Finder.
        • Open the Applications folder by selecting
          Applications
           from the Finder sidebar.
          If you do not see
          Applications
           in the Finder sidebar, select
          Go
          Applications
           from the Finder menu bar.
        • Open the Utilities folder.
        • Launch Terminal.
        • Execute the following commands:
          username>$ launchctl unload -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist       
username>$ launchctl unload -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist
username>$ launchctl load -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist
username>$ launchctl load -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist
      • On Linux endpoints, set the
        default-browser
         value to
        yes
         in the
        /opt/paloaltonetworks/globalprotect/pangps.xml
         pre-deployment configuration file under
        <Settings>
        . After you add the
        default-browser
         value, follow the pre-deployment instructionsbefore you reboot the Linux endpoint in order for the change to take effect.
      • On Android and iOS endpoints, create a VPN profile by using the supported mobile device management system (MDM) such as Airwatch.
        • Log in to Airwatch as an administrator.
        • Select an existing VPN profile (
          Devices
          Profiles & Resources
          Profiles
          ) in the list.
        • Select
          VPN
           to add a VPN profile.
          On Android endpoints, enter the
          Custom Data Key
           (
          use_default_browser_for_saml
          ). Enter the
          Custom Data Value
           (
          true
          ).
          On iOS endpoints, enter the
          Custom Data Key
           (
          saml-use-default-browser
          ). Enter the
          Custom Data Value
           (
          true
          ).
        • Click
          Save and Publish
           to save your changes.
    7. Configure the Prisma Access portal to use Cloud Identity Engine authentication.
      1. In the
        Mobile_User_Template
        , select
        Network
        GlobalProtect
        Portals
        GlobalProtect_Portal
        Authentication
        .
      2. Select the
        Default
         GlobalProtect portal configuration.
      3. Select the
        Authentication Profile
         you created for Cloud Identity Engine authentication and click
        OK
        .
      4. Select
        Agent
        , then select the
        Default
         agent.
      5. (
        Optional
        ) If you have on-premises GlobalProtect gateways and want the Prisma Access gateway to generate a cookie to override authentication for on-premises gateways, select
        Generate cookie for authentication override
        .
      6. (
        Optional
        ) If you want Prisma Access to accept cookies from on-premises gateways that allows them to override authentication for Prisma Access, select
        Accept cookie for authentication override
        .
      7. Click
        OK
        .
      8. In the
        App
         settings, make sure that
        Use Default Browser for SAML Authentication
         is set to
        Yes
        .
        Selecting this portal setting ensures that mobile users can leverage the same login for GlobalProtect with their saved user credentials on the default system browser such as Chrome, Firefox, or Safari.
      9. Click
        OK
        .
    8. Configure the Prisma Access gateway to use Cloud Identity Engine authentication.
      1. In the
        Mobile_User_Template
        , select
        Network
        GlobalProtect
        Gateways
        GlobalProtect_External_Gateway
        .
      2. Select
        Authentication
        .
      3. Select the
        Default
         authentication profile.
      4. Select the
        Authentication Profile
         you created for Cloud Identity Engine authentication and click
        OK
        .
      5. Select
        Agent
        Client Settings
        , then select the
        Default
         configuration.
      6. (
        Optional
        ) Select
        Generate cookie for authentication override
         and
        Accept cookie for authentication override
        .
        When you use the Cloud Identity Engine for authentication, Palo Alto Networks recommends that you allow authentication cookie overrides on gateways, since you have already configured authentication on the portal. If you do not configure cookie overrides on the gateway, two authentication pages display on the mobile user’s default browser when they log in to a gateway—one page for portal authentication and one page for gateway authentication.
      7. Click
        OK
        .
    9. Complete the Cloud Identity Engine configuration in Panorama.
      1. Select
        Panorama
        Setup
        Management
         and
        Edit
         the
        Authentication Settings
        , then select the
        Authentication Profile
         you created in Step 5.
      2. Select
        Panorama
        Device Groups
         and
        Add
         or
        Edit
         a device group.
      3. Select the
        Cloud Identity Engine
         and
        Add
         the Cloud Identity Engine instance you want to associate with Panorama; then, click
        OK
        .
    10. Commit and Push
       your changes.
    11. Verify that the Cloud Identity Engine is successfully authenticating your mobile users.
      1. On a mobile user endpoint, open the GlobalProtect app (minimum GlobalProtect version of 6.0 required).
      2. If prompted,
        Get Started
        .
      3. Enter the
        Portal
         URL in the app and
        Connect
         to it.
      4. When you are challenged for authentication, verify that you are redirected to the SAML IdP and are presented with a login page.
        After you successfully authenticate to the SAML IdP, it redirects you to Prisma Access. Prisma Access then validates the SAML responses from the SAML IdP and the mobile user is able to log in to the GlobalProtect portal.
      5. Enter your credentials to log in.
      6. After you have successfully logged in,
        Open GlobalProtect
         in the browser or, if you are provided with a URL,
        Click Here
         to open the GlobalProtect app.
      7. If your system browser prompts you to allow opening GlobalProtect in the browser,
        Allow
         it.
      8. Verify that you receive a banner from the GlobalProtect app, indicating that you are
        Connected
         to GlobalProtect and showing the GlobalProtect
        Portal
         and
        Gateway
        .
      9. (
        Optional
        ) To see more information about the GlobalProtect connection, select
        Settings
         from the GlobalProtect app.
        From this area, you can see the user that is logged in, view connection statistics and notifications, and download GlobalProtect logs for
        Troubleshooting
        .

    Explicit Proxy Mobile Users

    Use the Cloud Authentication (CAS) component of the Cloud Identity Engine to authenticate Prisma Access mobile users in a Mobile Users—Explicit Proxy deployment.
    To configure the Cloud Authentication Service to authenticate Explicit Proxy mobile users, you must have the following minimum required product and software versions:
    • A minimum Prisma Access version of 3.2 (either Preferred or Innovation).
    • A minimum Panorama version of 10.1.3.
    • A minimum dataplane version of 10.1.3.
      To verify your dataplane version, select
      Panorama
      Cloud Services
      Configuration
      Service Setup
       and view the
      Current Dataplane version
       in the
      DataPlane PAN-OS version
       area. If your dataplane version is lower than 10.1.3, reach out to your Palo Alto Networks account representative and submit a request.
    • A SAML IdP provider that is supported with the Cloud Identity Engine.
      All IdP providers that are supported by the Cloud Identity Engine are supported, including Azure, Okta, PingOne, PingFederate, and Google.
    To configure authentication for a Mobile Users—Explicit Proxy deployment using the Cloud Identity Engine, complete the following steps.
    1. From the Panorama that manages Prisma Access, set up and configure a Mobile Users—Explicit Proxy deployment.
      Before you configure Explicit Proxy guidelines, be aware of how explicit proxy works and how explicit proxy identifies users, go through the planning checklist, and learn how to set up the Explicit Proxy PAC file.
    2. From the Panorama that manages Prisma Access, install the Panorama device certificate.
      You must generate a one-time password (OTP) and retrieve the device certificate to successfully authenticate Panorama with the Cloud Identity Engine.
      1. Log into the Customer Support Portal to generate the One Time Password (OTP).
      2. Select
        Assets
        Device Certificates
         and
        Generate OTP
        .
      3. For the
        Device Type
        , select
        Generate OTP for Panorama
         and
        Generate OTP
        .
      4. Select the
        Panorama Device
         serial number.
      5. Generate OTP
         and
        Copy to Clipboard
        .
      6. From the Panorama that manages Prisma Access, select
        Panorama
        Setup
        Management
        Device Certificate Settings
         and
        Get certificate
        .
        When you have successfully installed the certificate, the
        Current Device Certificate Status
         (
        Panorama
        Setup
        Management
        Device Certificate
        ) displays as
        Valid
        .
    3. From the hub, activate the Cloud Identity Engine if you have not yet done so to create your first instance.
      2. Activate
         the Cloud Identity Engine.
        If the Activate button is not available, ensure that your role has the necessary privileges.
      3. Enter the information for your Cloud Identity Engine instance.
        • Select the
          Company Account
           for the instance.
        • Specify an
          Name
           to identify the instance.
        • (
          Optional
          ) Enter a
          Description
           to provide more information about the Cloud Identity Engine instance (for example, details about the instance’s purpose).
        • Select a
          Region
          .
          Make a note of the region; you specify the same region when you create an authentication profile in Panorama.
        • Agree to the
          EULA
          .
      4. Agree & Activate
         the instance.
      5. On the Activation Details page, select the hub in the upper left.
      6. The
        Cloud Identity Engine
         displays.
    4. (
      Optional
      ) If you require a separate instance for Explicit Proxy, configure a Cloud Identity Engine Instance.
      If you want to isolate your Explicit Proxy directory data, or allow different Palo Alto Networks cloud applications and services to access different sets of directory data, you can create a Cloud Identity Engine instance specifically for Explicit Proxy.
      1. Log in to the hub.
      2. Click the gear in the upper right corner of the page to manage the settings; then, select
        Manage Apps
         and click
        Add Instance
        .
      3. Configure the instance.
        • Select the
          Company Account
           for the instance.
        • Specify an
          Name
           to identify the instance.
        • (
          Optional
          ) Enter a
          Description
           to provide more information about the Cloud Identity Engine instance (for example, details about the instance’s purpose).
        • Select a
          Region
          .
          Make a note of the region; you specify the same region when you create an authentication profile in Panorama.
        • Agree to the
          EULA
          .
      4. Agree & Activate
         the instance.
    6. Set up an authentication profile in the Cloud Identity Engine and select the users and groups that can use this authentication method.
      You specify this profile when you create an authentication profile in Panorama in a later step.
    7. Return to the Panorama that manages Prisma Access and configure an authentication profile to use with the Cloud Authentication Engine.
      1. Select
        Device
        Authentication Profile
         and
        Add
         an authentication profile.
        Be sure that you are in the
        Explicit_Proxy_Template
        .
      2. Enter a
        Name
         for the Authentication profile.
      3. Select
        Cloud Authentication Service
         as the
        Type
        .
      4. Select the
        Region
         of your Cloud Identity Engine instance.
        Specify the same region you used when you created your Cloud Authentication Engine instance.
      5. Select the Cloud Identity Engine
        Instance
         to use for this Authentication profile.
      6. Select an authentication
        Profile
         that specifies the authentication type you want to use to authenticate users.
        Specify the authentication profile you created in the Cloud Identity Engine.
      7. Specify the
        Maximum Clock Skew (seconds)
        , which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
      8. (
        Optional
        ) If the profile you selected has multi-factor authentication (MFA) enabled, select
        Force multi-factor authentication in cloud
        .
        Selecting this option means that the IdP (for example, Okta) specified by the profile is responsible for performing MFA. If you select this check box and incorrect MFA information is received from the Cloud Identity Engine, authentication fails.
      9. Click
        OK
        .
    8. Allow the necessary authentication traffic to be passed to Explicit Proxy.
      1. Create a URL list as a custom URL category to allow the necessary traffic for the Cloud Identity Engine.
      2. Add the following Cloud Identity Engine URLs to the URL category.
        If you do not need to strictly limit traffic to your region, you can enter
        *.apps.paloaltonetworks.com
        . Otherwise, determine your region-based URL using the
        show cloud-auth-service-regions
         command in the Cloud Identity Engine to display the URLs for the region associated with your Cloud Identity Engine instance and enter each region-based URL. The following table includes the URLs for each region:
        Region
        Cloud Identity Engine Region-Based URL
        United States
        cloud-auth.us.apps.paloaltonetworks.com
        cloud-auth-service.us.apps.paloaltonetworks.com
        Europe
        cloud-auth.nl.apps.paloaltonetworks.com
        cloud-auth-service.nl.apps.paloaltonetworks.com
        United Kingdom
        cloud-auth.uk.apps.paloaltonetworks.com
        cloud-auth-service.uk.apps.paloaltonetworks.com
        Singapore
        cloud-auth.sg.apps.paloaltonetworks.com
        cloud-auth-service.sg.apps.paloaltonetworks.com
        Canada
        cloud-auth.ca.apps.paloaltonetworks.com
        cloud-auth-service.ca.apps.paloaltonetworks.com
        Japan
        cloud-auth.jp.apps.paloaltonetworks.com
        cloud-auth-service.jp.apps.paloaltonetworks.com
        Australia
        cloud-auth.au.apps.paloaltonetworks.com
        cloud-auth-service.au.apps.paloaltonetworks.com
        Germany
        cloud-auth.de.apps.paloaltonetworks.com
        cloud-auth-service.de.apps.paloaltonetworks.com
        United States - Government
        cloud-auth-service.gov.apps.paloaltonetworks.com
        cloud-auth.gov.apps.paloaltonetworks.com
        India
        cloud-auth-service.in.apps.paloaltonetworks.com
        cloud-auth.in.apps.paloaltonetworks.com
      3. Enter the URLs that your IdP requires for user authentication (for example,
        *.okta.com
        ) in the custom URL category.
      4. Create a security policy rule to allow traffic to the authentication type and Cloud Identity Engine and select the custom URL category as the match criteria.
    9. Specify the authentication profile for Explicit Proxy.
      1. Select
        Panorama
        Cloud Services
        Configuration
        Mobile Users—Explicit Proxy
        .
      2. Select the
        Connection Name
        .
      3. Specify the Cloud Identity Engine
        Authentication Profile
        .
    10. Commit and Push
       your changes.
    11. Verify that the Cloud Identity Engine is successfully authenticating your Explicit Proxy mobile users.
      1. From the Panorama that manages Prisma Access, select
        Monitor
        Logs
        Authentication
        .
      2. View the
        Event
         status.
        If the authentication fails, view the
        Description
         for more details about the failure.
      3. From the mobile user’s endpoint, use dev tools to view the Cloud Identity Engine authentication flow.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.