>
    Strata Copilot
    Set Up SAML Authentication with CIE (NGFW Deployment)
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Agent
    3. Prisma Access Agent Administration
    4. Configure the Prisma Access Agent
    5. Set Up Prisma Access Agent User Authentication
    6. Set Up SAML Authentication With Cloud Identity Engine
    7. Set Up SAML Authentication with CIE (NGFW Deployment)
    Download PDF
    Prisma Access Agent

    Set Up SAML Authentication with CIE (NGFW Deployment)

    Table of Contents

    Set Up SAML Authentication with CIE (NGFW Deployment)

    Learn how to set up the user authentication for Prisma Access Agent users in NGFW deployments.
    For Panorama managed NGFW deployments, you can set up user authentication so that only legitimate Prisma Access Agent users have access to your services and applications.
    Before you begin:
    1. Log in to Strata Cloud Manager as the administrator.
    2. Select WorkflowsPrisma Access AgentSetup.
    3. Select the Prisma Access Agent tab.
    4. Click Add User Authentication or select an existing user authentication from the table to update it.
    5. Select the endpoint operating system to Authenticate Users From. Selecting Match Any will authenticate users from all supported operating systems. The default is Match Any.
    6. Select an Authentication Type.
      The following authentication types are available with Cloud Identity Engine:
      • SAML—Select this to use SAML 2.0 to integrate Prisma Access with an identity provider (IdP) that controls access to both external and internal services and applications. SAML single sign-on (SSO) enables one login to access multiple applications, and is helpful in environments where each user accesses many applications and authenticating for each one would impede user productivity. In this case, SAML single sign-on (SSO) enables one login to access multiple applications. This is the default selection.
      • Client Certificate—Select this to use a client certificate from the Cloud Identity Engine to obtain usernames and authenticate Prisma Access Agent users to Prisma Access. To authenticate users based on a client certificate, one of the certificate fields, such as the Subject Name field, must identify the username. End users who successfully authenticate through client certificate authentication don't have the option to sign out of the Prisma Access Agent.
      • Client Certificate OR SAML—Select this to grant access to end users as long as they have successfully passed either client certificate authentication or SAML authentication.
      • Client Certificate AND SAML—Select this to require users to pass both certificate authentication and SAML authentication.
    7. Select an Authentication Profile to use for authentication based on the authentication type.
      • If you're using SAML, select an Authentication Profile or Create New. This authentication profile maps to the Cloud Identity Engine authentication profile that validates the login credentials of end users who access applications and resources using the Prisma Access Agent.
        If you're creating a new profile:
        1. Click Create New.
        2. Enter a Profile Name and select an available Cloud Identity Engine Profile.
        3. (Optional) Enter the Maximum Clock Skew (seconds), which is the allowed system time difference (in seconds) between the IdP and Prisma Access when Prisma Access validates IdP messages. The default value is 60 seconds, and the range is 1-900 seconds. If the difference exceeds this value, authentication fails.
        4. Save your new profile. The profile is added to the Authentication Profile list.
        5. Select the profile you created if you want to use it to authenticate your users.
      • If you're using the Client Certificate authentication type, select a Certificate Profile to verify the certificates that Prisma Access Agent users present to Prisma Access during a connection request. The certificate profile specifies the contents of the username and user domain fields; lists CA certificates; criteria for blocking a session; and offers ways to determine the revocation status of CA certificates.
        Because the certificate is part of the authentication for the user, you must predeploy certificates used in certificate profiles to your users before their initial login. The certificate profile specifies which certificate field contains the username (Subject or Subject Alt). If the certificate profile specifies Subject in the Username Field, the certificate presented by the endpoint must contain a Common Name for the endpoint to connect. If the certificate profile specifies a Subject-Alt with an Email or Principal Name as the Username Field, the certificate must contain the corresponding fields, which will be used as the username when the Prisma Access Agent authenticates to Prisma Access.
      • If you're using Client Certificate OR SAML, select a Certificate Profile and an Authentication Profile. This will grant access to end users as long as they have successfully passed either client certificate authentication or SAML authentication.
      • If you're using Client Certificate AND SAML, select a Certificate Profile and an Authentication Profile. This will require users to pass both certificate authentication and SAML authentication.
    8. Save your user authentication settings.

    © 2025 Palo Alto Networks, Inc. All rights reserved.