Enable Mobile Users to Authenticate to Prisma Access
Focus
Focus
Prisma Access

Enable Mobile Users to Authenticate to Prisma Access

Table of Contents

Enable Mobile Users to Authenticate to Prisma Access

Define authentication settings for mobile users to connect to Prisma Access.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Prisma Access license
You can authenticate mobile users to Prisma Access using any of the supported authentication types. Follow these steps to set up authentication for GlobalProtect or Explicit Proxy mobile users.
  1. Go to WorkflowsPrisma Access Setup and go to either your Mobile Users: GlobalProtect or Explict Proxy configuration and Set Up User Authentication.
  2. Choose your Authentication Method from the supported authentication types.
    If you haven’t already integrated Prisma Access with your authentication services, here’s how.
  3. Choose the authentication Profile you configured to enable Prisma Access to connect to the service you want to use to authenticate users.
  4. Specify certificate authentication settings:
    • Certificate Authentication
      For enhanced security, use a certificate (in addition to your authentication service) to obtain usernames and authenticate users to Prisma Access. To authenticate users based on a client certificate, one of the certificate fields, such as the Subject Name field, must identify the username. Mobile users that successfully authenticate through client certificate authentication, do not have the option to sign out of the GlobalProtect app.
      With Prisma Access, you can choose to require for mobile users to pass both certificate authentication and authentication based on the authentication type or to grant access to mobile users as long as they’ve successfully passed only one of those checks.
    • Certificate Profile
      Use an optional certificate profile to verify the certificates mobile users present to Prisma Access with a connection request. The certificate profile specifies the contents of the username and user domain fields; lists CA certificates; criteria for blocking a session; and offers ways to determine the revocation status of CA certificates. Because the certificate is part of the authentication for the mobile user, you must pre-deploy certificates used in certificate profiles to your users before their initial login.The certificate profile specifies which certificate field contains the username (Subject or Subject Alt). If the certificate profile specifies Subject in the Username Field, the certificate presented by the endpoint must contain a common-name for the endpoint to connect. If the certificate profile specifies a Subject-Alt with an Email or Principal Name as the Username Field, the certificate must contain the corresponding fields, which will be used as the username when the GlobalProtect app authenticates to Prisma Access.
  5. Specify a Cookie Lifetime for the cookie that stores the users’ authentication credentials.
    After the IdP authenticates the user, Prisma Access stores the authentication state of the user in the Authentication Cache Service (ACS). The validity period of the authentication is based on the Cookie Lifetime value you specify here.
    To prevent issues with users not being able to download large files before the cookie lifetime expires, or the cookie expiring when users are accessing a single website for a long period of time, Palo Alto Networks recommends that you configure a Cookie Lifetime of at least one day. If Explicit Proxy users have a cookie lifetime expiration issue, they can browse to a different website to re-authenticate to ACS and refresh the ACS cookie.