Seamless User Authentication with Refresh Tokens in Prisma Access Agent
Prisma Access Agent uses refresh tokens for efficient authentication to reduce
login frequency while maintaining security.
Where Can I Use This?
What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)
Check the prerequisites for the deployment you're
using
Prisma Access Agent version:
25.1.0.14
macOS 14 and later or Windows 10 version 2024 and later desktop devices
Contact your Palo Alto Networks account representative to
activate the Prisma Access Agent feature
Prisma Access Agent uses refresh tokens to streamline authentication for users,
minimizing disruptions to their work. When a user's access token expires, the refresh
token automatically obtains a new one without requiring user intervention. This process
occurs in the background, ensuring uninterrupted access to cloud and on-premises
resources for mobile users and remote offices.
By default, the refresh token has a 7-day lifetime, enabling secure access without
frequent logins. Users receive a notification on their Prisma Access Agent app 60
minutes before token expiration.
Notification Process
The user is notified of the impending token expiration based on what is configured in
the Notify Before Session Expires and Session
Timeout Expiration Message setting in the Prisma Access Agentapp settings. If no message has been
configured, then the system will show a generic notification indicating that the
session is about to
expire.
For example, 60 minutes before token expiration, the user will receive an OS
notification (desktop notifications must be enabled in this case). The following
image is an example of the OS notification on a macOS desktop device.
When the user clicks on the OS notification, the Prisma Access Agent app opens
showing a notification banner at the bottom of the window. (The message on the
banner isn’t configurable.) The user merely has to click the notification banner to
start a new session.
SAML Authentication Workflow
If you configured the agent to use SAML authentication, if the user's identity
provider (IdP) session is active, authentication with the agent continues without
user action. When the user clicks the notification banner, the banner is removed
from the app. In the background, the agent initiates SAML authentication but will
remain in the connected state so that the agent and gateway are still connected. The
agent then reauthenticates with the server, gets a new gateway token, and
reestablishes the tunnel.
For expired IdP sessions, users will need to complete the SAML authentication flow to
renew their session. The system default browser or Prisma Access Agent
embedded browser will open to redirect the user to their organization’s login page
where they can proceed with authenticating with their organization.
After successful authentication, the user will be connected to the Prisma Access Agent.
If you're using LDAP authentication, if the
user's LDAP credential are still active, authentication with the agent continues
without user action. When the user clicks the notification banner, the banner is
removed from the app. In the background, the agent initiates LDAP authentication but
will remain in the connected state so that the agent and gateway are still
connected. The agent then reauthenticates with the server, gets a new gateway token,
and reestablishes the tunnel.
If the user's LDAP credentials have expired,
they will need to reenter their login credentials to authenticate with the LDAP
server. After successful authentication, the user will be connected to the Prisma Access Agent.
Alternate User Notification Scenarios
The following scenarios apply if the user does not respond to the initial OS
notification.
The user misses the OS notification or if there is no OS notification (for
example, if desktop notifications are not enabled).
The Prisma Access Agent app will open, showing the notification banner
at the bottom of the window. The user can click on the banner to start a new
session.
The user takes no action in either the OS notification or the Prisma Access Agent app.
Five minutes before session expiration, the notification banner will change
to an orange color in the Prisma Access Agent app. The user can click
the banner at any time to start a new session. If the user does not click
the banner, the session will expire and the user will need to reauthenticate
in a browser tab to access the agent.
The user clicks away from the Prisma Access Agent during the 5-minute
countdown to expiration.
The Prisma Access Agent app will close automatically and a browser tab
will appear for the user to reauthenticate.
The user's device is in sleep mode.
The system does not show any expiration notification. The user needs to open
the Prisma Access Agent and reauthenticate when the system default
browser comes up.