Prisma Access Agent
Set Up SAML Authentication with CIE (NGFW Deployment)
Table of Contents
Set Up SAML Authentication with CIE (NGFW Deployment)
Learn how to set up the user authentication for Prisma Access Agent users in
NGFW deployments.
For Panorama managed NGFW deployments, you can set up user authentication so that
only legitimate Prisma Access Agent users have access to your services and
applications.
- Log in to Strata Cloud Manager as the administrator.Select WorkflowsPrisma Access AgentSetup.Select the Prisma Access Agent tab.Click Add User Authentication or select an existing user authentication from the table to update it.Select the endpoint operating system to Authenticate Users From. Selecting Match Any will authenticate users from all supported operating systems. The default is Match Any.Select an Authentication Type.The following authentication types are available with Cloud Identity Engine:
- SAML—Select this to use SAML 2.0 to integrate Prisma Access with an identity provider (IdP) that controls access to both external and internal services and applications. SAML single sign-on (SSO) enables one login to access multiple applications, and is helpful in environments where each user accesses many applications and authenticating for each one would impede user productivity. In this case, SAML single sign-on (SSO) enables one login to access multiple applications. This is the default selection.
- Client Certificate—Select this to use a client certificate from the Cloud Identity Engine to obtain usernames and authenticate Prisma Access Agent users to Prisma Access. To authenticate users based on a client certificate, one of the certificate fields, such as the Subject Name field, must identify the username. End users who successfully authenticate through client certificate authentication don't have the option to sign out of the Prisma Access Agent.
- Client Certificate OR SAML—Select this to grant access to end users as long as they have successfully passed either client certificate authentication or SAML authentication.
- Client Certificate AND SAML—Select this to require users to pass both certificate authentication and SAML authentication.
Select an Authentication Profile to use for authentication based on the authentication type.- If you're using SAML, select an
Authentication Profile or Create
New. This authentication profile maps to the Cloud Identity Engine authentication profile that validates the login
credentials of end users who access applications and resources using the
Prisma Access Agent.If you're creating a new profile:
- Click Create New.
- Enter a Profile Name and select an available Cloud Identity Engine Profile.
- (Optional) Enter the Maximum Clock Skew
(seconds), which is the allowed system time
difference (in seconds) between the IdP and Prisma Access
when Prisma Access validates IdP messages. The default value
is 60 seconds, and the range is 1-900 seconds. If the difference
exceeds this value, authentication fails.
- Save your new profile. The profile is added to the Authentication Profile list.
- Select the profile you created if you want to use it to authenticate your users.
- If you're using the Client Certificate authentication type, select a Certificate Profile to verify the certificates that Prisma Access Agent users present to Prisma Access during a connection request. The certificate profile specifies the contents of the username and user domain fields; lists CA certificates; criteria for blocking a session; and offers ways to determine the revocation status of CA certificates.Because the certificate is part of the authentication for the user, you must predeploy certificates used in certificate profiles to your users before their initial login. The certificate profile specifies which certificate field contains the username (Subject or Subject Alt). If the certificate profile specifies Subject in the Username Field, the certificate presented by the endpoint must contain a Common Name for the endpoint to connect. If the certificate profile specifies a Subject-Alt with an Email or Principal Name as the Username Field, the certificate must contain the corresponding fields, which will be used as the username when the Prisma Access Agent authenticates to Prisma Access.
- If you're using Client Certificate OR SAML,
select a Certificate Profile and an
Authentication Profile. This will grant
access to end users as long as they have successfully passed either
client certificate authentication or SAML authentication.
- If you're using Client Certificate AND SAML, select a Certificate Profile and an Authentication Profile. This will require users to pass both certificate authentication and SAML authentication.
Save your user authentication settings.