You can enforce SAML authentication to succeed only if the authorization request comes from trusted IP addresses. Users authenticating from untrusted IP addresses cannot access the Prisma Access portal or gateway. In order for this to work, you can specify either a proxy server or Proxy Auto-Configuration (PAC) file via the predeployment parameter SAMLAUTHPROXY. For more information about the parameter, see.App Behavior Options.