Set Up SAML Authentication with CIE (Prisma Access Deployment on Strata Cloud Manager)

1. Set up an authentication profile that refers to the Cloud Identity Engine authentication profile that you created in Cloud Identity Engine, which validates the login credentials of end users who access resources and applications using the Prisma Access Agent.

   1. In Strata Cloud Manager, select ManageConfigurationNGFW and Prisma AccessConfiguration ScopeAccess Agent.
   2. Select Identity ServicesAuthenticationAuthentication Profiles.
   3. Add Profile.
   4. Select Authentication MethodCloud Identity Engine.
   5. Enter a Profile Name.
   6. Select an available Profile (which comes from Cloud Identity Engine).
   7. Enter the Maximum Clock Skew in seconds, which is the allowed system time difference (in seconds) between the IdP and Prisma Access when Prisma Access validates IdP messages. The default value is 60 seconds, and the range is 1-900 seconds. If the difference exceeds this value, authentication fails.
   8. By default, all users can authenticate with Prisma Access. To select specific users or user groups, select Match allAdd User and select the user or user group that you want to add.

      You can add more users or groups by clicking the plus sign + and searching for a user or user group. Click away from the drop-down to save your query.

   9. Save your new profile.
2. In Strata Cloud Manager, select WorkflowsPrisma Access SetupAccess AgentPrisma Access Agent.
3. If this is your first time setting up the Prisma Access Agent, click Set Up User Authentication.

   Otherwise, select an authentication method to update it or Add User Authentication.

4. To authenticate users to Prisma Access, select an Authentication Type.

   The following authentication types are available with Cloud Identity Engine:

   • Client Certificate (Cloud Identity Engine)—Select this to use a client certificate from the Cloud Identity Engine to obtain usernames and authenticate Prisma Access Agent users to Prisma Access. To authenticate users based on a client certificate, one of the certificate fields, such as the Subject Name field, must identify the username. End users who successfully authenticate through client certificate authentication don't have the option to sign out of the Prisma Access Agent.
   • SAML (Cloud Identity Engine)—Select this to use SAML 2.0 to integrate Prisma Access with an identity provider (IdP) that controls access to both external and internal services and applications. SAML single sign-on (SSO) enables one login to access multiple applications, and is helpful in environments where each user accesses many applications and authenticating for each one would impede user productivity. In this case, SAML single sign-on (SSO) enables one login to access multiple applications. This is the default selection.
   • Client Certificate OR SAML (Cloud Identity Engine)—Select this to grant access to end users as long as they have successfully passed either client certificate authentication or SAML authentication.
   • Client Certificate AND SAML (Cloud Identity Engine)—Select this to require users to pass both certificate authentication and SAML authentication.
5. Select the endpoint operating system to Authenticate Users From. Selecting Match Any will authenticate users from all supported operating systems. The default is Match Any.

6. Select a profile to use for authentication based on the authentication type.

   • If you're using the Client Certificate (Cloud Identity Engine) authentication type, select a Certificate Profile to verify the certificates that Prisma Access Agent users present to Prisma Access during a connection request. The certificate profile specifies the contents of the username and user domain fields; lists CA certificates; criteria for blocking a session; and offers ways to determine the revocation status of CA certificates.
     Because the certificate is part of the authentication for the user, you must predeploy certificates used in certificate profiles to your users before their initial login. The certificate profile specifies which certificate field contains the username (Subject or Subject Alt). If the certificate profile specifies Subject in the Username Field, the certificate presented by the endpoint must contain a Common Name for the endpoint to connect. If the certificate profile specifies a Subject-Alt with an Email or Principal Name as the Username Field, the certificate must contain the corresponding fields, which will be used as the username when the Prisma Access Agent authenticates to Prisma Access.
     If no certificate profile is listed, you need to configure a certificate profile in Cloud Identity Engine.
   • If you're using SAML (Cloud Identity Engine), select an Authentication Profile. This authentication profile is the profile you set up in step 1, which defines the authentication service that validates the login credentials of end users who access resources and applications using the Prisma Access Agent.

   • If you're using Client Certificate OR SAML (Cloud Identity Engine), select a Certificate Profile and an Authentication Profile. This will grant access to end users as long as they have successfully passed either client certificate authentication or SAML authentication.

   • If you're using Client Certificate AND SAML (Cloud Identity Engine), select a Certificate Profile and an Authentication Profile. This will require users to pass both certificate authentication and SAML authentication.
7. Save your user authentication settings.
8. Your new or updated user authentication will appear in the User Authentications table. Ensure that the OS listed in the Authenticate Users From column follows the hierarchy with the OS-specific profiles at the top, and the Any OS at the bottom. If the user authentication profile with the Any OS is placed above the OS-specific authentication profiles, the Any OS profile won’t get matched since Prisma Access Agent always selects the authentication profile with the exact matching OS.

   You can select a user authentication profile and Move it up or down the table.