Seamless User Authentication with Refresh Tokens in Prisma Access Agent
Focus
Focus
Prisma Access Agent

Seamless User Authentication with Refresh Tokens in Prisma Access Agent

Table of Contents

Seamless User Authentication with Refresh Tokens in Prisma Access Agent

Prisma Access Agent uses refresh tokens for efficient authentication to reduce login frequency while maintaining security.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Check the prerequisites for the deployment you're using
  • Prisma Access Agent version: 25.1.0.14
  • macOS 14 and later or Windows 10 version 2024 and later desktop devices
  • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
Prisma Access Agent uses refresh tokens to streamline authentication for users, minimizing disruptions to their work. When a user's access token expires, the refresh token automatically obtains a new one without requiring user intervention. This process occurs in the background, ensuring uninterrupted access to cloud and on-premises resources for mobile users and remote offices.
By default, the refresh token has a 7-day lifetime, enabling secure access without frequent logins. Users receive a notification on their Prisma Access Agent app 60 minutes before token expiration.

Notification Process

The user is notified of the impending token expiration based on what is configured in the Notify Before Session Expires and Session Timeout Expiration Message setting in the Prisma Access Agent app settings. If no message has been configured, then the system will show a generic notification indicating that the session is about to expire.
For example, 60 minutes before token expiration, the user will receive an OS notification (desktop notifications must be enabled in this case). The following image is an example of the OS notification on a macOS desktop device.
When the user clicks on the OS notification, the Prisma Access Agent app opens showing a notification banner at the bottom of the window. (The message on the banner isn’t configurable.) The user merely has to click the notification banner to start a new session.
SAML Authentication Workflow
If you configured the agent to use SAML authentication, if the user's identity provider (IdP) session is active, authentication with the agent continues without user action. When the user clicks the notification banner, the banner is removed from the app. In the background, the agent initiates SAML authentication but will remain in the connected state so that the agent and gateway are still connected. The agent then reauthenticates with the server, gets a new gateway token, and reestablishes the tunnel.
For expired IdP sessions, users will need to complete the SAML authentication flow to renew their session. The system default browser or Prisma Access Agent embedded browser will open to redirect the user to their organization’s login page where they can proceed with authenticating with their organization.
After successful authentication, the user will be connected to the Prisma Access Agent.
(Prisma Access Agent 25.3.0.43) LDAP Authentication Workflow
If you're using LDAP authentication, if the user's LDAP credential are still active, authentication with the agent continues without user action. When the user clicks the notification banner, the banner is removed from the app. In the background, the agent initiates LDAP authentication but will remain in the connected state so that the agent and gateway are still connected. The agent then reauthenticates with the server, gets a new gateway token, and reestablishes the tunnel.
If the user's LDAP credentials have expired, they will need to reenter their login credentials to authenticate with the LDAP server. After successful authentication, the user will be connected to the Prisma Access Agent.

Alternate User Notification Scenarios

The following scenarios apply if the user does not respond to the initial OS notification.
  • The user misses the OS notification or if there is no OS notification (for example, if desktop notifications are not enabled).
    The Prisma Access Agent app will open, showing the notification banner at the bottom of the window. The user can click on the banner to start a new session.
  • The user takes no action in either the OS notification or the Prisma Access Agent app.
    Five minutes before session expiration, the notification banner will change to an orange color in the Prisma Access Agent app. The user can click the banner at any time to start a new session. If the user does not click the banner, the session will expire and the user will need to reauthenticate in a browser tab to access the agent.
  • The user clicks away from the Prisma Access Agent during the 5-minute countdown to expiration.
    The Prisma Access Agent app will close automatically and a browser tab will appear for the user to reauthenticate.
  • The user's device is in sleep mode.
    The system does not show any expiration notification. The user needs to open the Prisma Access Agent and reauthenticate when the system default browser comes up.