Prisma Access Agent
Set Up Cloud Identity Engine for Prisma Access Agent User Authentication
Table of Contents
Set Up Cloud Identity Engine for Prisma Access Agent User Authentication
Use Cloud Identity Engine to enable group-based policy for Prisma Access Agent
app settings, forwarding profile settings, and staged rollout configuration.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
To grant your users access to corporate resources and applications, you must verify
the identities of the users to ensure that they are who they claim to be. Cloud Identity Engine can be used to
authenticate users when they connect to Prisma Access Agent.
Cloud Identity Engine is a free app on the hub that gives Prisma Access read-only
access to your information in IdPs such as Azure Active Directory or Okta Directory.
With Cloud Identity Engine, you can easily implement user-based security policies
and decryption.
Cloud Identity Engine allows you to create security policy based on users and groups,
and helps secure your assets by enforcing behavior-based security actions. It also
adapts to changing security needs and users by making it simpler to configure an
identity source or provider in a single unified source of user identity, allowing
extendability as needs change. By continually syncing the information from your
cloud-based directories, it ensures that your user information is accurate and up to
date and policy enforcement continues based on the mappings even if the cloud
identity provider is temporarily unavailable.
When users authenticate to the agent from an endpoint, Cloud Identity Engine redirects
the authentication request to a SAML 2.0-based identity provider (IdP). After the
IdP authenticates the user, the gateway maps the user and applies the appropriate
security policy to the endpoint. You can use SAML 2.0-compliant identity providers
(IdPs) or a client certificate to authenticate your users.
Before you begin to configure Cloud Identity Engine for Prisma Access Agent user
authentication, ensure that you complete the following prerequisites:
- Set up the Cloud Identity Engine.
- Configure Cloud Identity Engine with an Azure directory or an Okta directory as IdP for mobile users.
- Open the Cloud Identity Engine app associated with your tenant.
- For Strata Cloud Manager Managed deployments:Select your tenant name in the navigation pane and select Cloud Identity Engine.
- For Panorama Managed deployments:
- Cross-launch the Strata Cloud Manager app from the Panorama cloud services plug-in by selecting .
- Select your tenant name in the navigation pane and select Cloud Identity Engine.
You can use SAML 2.0-compliant identity providers (IdPs) or a client certificate to authenticate your users. You need to configure specific identity providers as authentication types.- To use SAML 2.0 as an authentication type:
- Add an Azure directory or an Okta directory as IdP for mobile users.
- Configure Azure as an IdP in the Cloud Identity Engine or Configure Okta as an IdP in the Cloud Identity Engine and add Azure or Okta as an authentication type.
To use client certificate as an authentication type, Configure a Client Certificate and set up client certificate as an authentication type.Set Up an Authentication Profile and associate the authentication profile with the authentication type (either SAML 2.0 or client certificate) set up in the previous step.
- For Strata Cloud Manager Managed deployments:
