Here’s how Explicit Proxy with SAML works. Follow along to see the path traffic
takes:
The mobile user browses the internet or accesses the SaaS application by
entering the URL or IP address using a web browser.
The browser on the mobile users’ endpoint checks for the PAC file.
This PAC file specifies that the URL or SaaS request should go to
Prisma Access
explicit proxy.
The HTTPS client (the browser on the mobile user’s endpoint) forwards the
URL request to the proxy URL.
The traffic redirects to the explicit proxy, and the proxy decrypts the
traffic.
The proxy inspects the traffic and checks for the authentication cookie set
up by the
Prisma Access
explicit proxy.
The cookie contains information that identifies the mobile user, and uses
the cookie to authenticate the user.
If, upon inspection of the cookie,
Prisma Access
determines that
the user is not authenticated, it redirects the user for
authentication.
After the IdP authenticates the user,
Prisma Access
stores the
authentication state of the user in the Authentication Cache Service (ACS).
The validity period of the authentication is based on the
Cookie
Lifetime
value you specify during explicit proxy
configuration.
The explicit proxy checks for the presence and validity of our cookie. If
the cookie is not present or is invalid, the user is redirected to ACS.
After ACS confirms the authentication of the user, the user is redirected
back to the explicit proxy with a token. The proxy then validates that token
and sets the cookie for that domain for that user.
Prisma Access
applies security enforcement based on the Security
policy rules that the administrator has configured.
If the URL is not blocked by Security policy rules, Prisma Access sends the
URL request to the internet.