Configure Mobile Users using Cloud Identity Engine (Recommended)
Focus
Focus
Prisma Access

Configure Mobile Users using Cloud Identity Engine (Recommended)

Table of Contents

Configure Mobile Users using Cloud Identity Engine (Recommended)

Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Minimum Required Prisma Access Version 4.0 Preferred
Cloud Identity Engine (Directory Sync) gives Prisma Access read-only access to your Active Directory information, so that you can easily set up and manage security and decryption policies for users and groups. Cloud Identity Engine works with both on-premises Active Directory and Microsoft Entra ID (formerly Azure Active Directory). Prisma Access retrieves user and group information from your organization’s cloud directory or Active Directory (AD), to enforce user- and group-based policy. Optionally, Prisma Access retrieves user behavior-based risk signals from some cloud directory vendors, such as Microsoft Entra ID, to enforce automated security actions. In addition to simplifying user and group information retrieval, integrating the Cloud Identity Engine with Prisma Access can free up the bandwidth and load on your cloud directory or AD. To set up Cloud Identity Engine with Prisma Access, start by going to the hub to activate Cloud Identity Engine and add it to Prisma Access. Then go to Prisma Access to validate that Prisma Access is able to access directory data.

Configure Mobile Users using Cloud Identity Engine (Recommended) (Strata Cloud Manager)

You first configure SAML in Microsoft Entra ID (formerly Azure Active Directory (Azure AD), then import the metadata XML file (the file that contains SAML registration information) from Microsoft Entra ID and upload it to a SAML Identity Provider you create in Prisma Access. You then create an Authentication Profile that references the IdP server profile, add the authentication profile into the Explicit Proxy or GlobalProtect configuration, and commit and push your changes.
If you are a GlobalProtect mobile user, upgrade your GlobalProtect app to 6.0 version or to a later version.
  1. From Prisma Access, open the Cloud Identity Engine app associated with your tenant.
    1. Go to Prisma AccessTenants and ServicesCloud Identity Engine.
  2. Download the SP Metadata in the Cloud Identity Engine app.
    1. Go to AuthenticationAuthentication TypesAdd New.
    2. Set Up a SAML 2.0 authentication type.
    3. Download SP Metadata.
    4. Log in to the Azure Portal and select Microsoft Entra ID.
      Make sure you complete all the necessary steps in the Azure portal.
      If you have more than one directory, Switch directory to select the directory you want to use with the Cloud Identity Engine.
    5. Select Enterprise applications and click New application.
    6. Search for Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service and create the Microsoft Entra ID single-sign on integration.
      Customize the app name if required while creating the application.
    7. After the application loads, select Users and groups, then Add user/group to Assign them to this application.
      Select the users and groups you want to have use the Azure IdP in the Cloud Identity Engine for authentication.
      Be sure to assign the account you are using so you can test the configuration when it is complete. You may need to refresh the page after adding accounts to successfully complete the test.
    8. Set up single sign-on then select SAML.
    9. Upload Metadata File by browsing to the metadata file that you downloaded from the Cloud Identity Engine app in step 2.c and click Add.
    10. After the metadata uploads, enter your regional endpoint as the Sign-on URL using the following format: https://<RegionUrl>.paloaltonetworks.com/sp/acs (where <RegionUrl> is your regional endpoint).
      Alternatively, copy the reply URL to the sign on URL.
    11. Save your configuration.
    12. Download the Federation Metadata XML under SAML Certificates.
  3. Add Azure as an authentication type in the Cloud Identity Engine app.
    1. In Cloud Identity Engine app, select AuthenticationAuthentication TypesAdd New.
    2. Set Up a SAML 2.0 authentication type.
    3. Enter a Profile Name.
    4. Select Azure as your IDP Vendor.
    5. Upload Metadata from step 2.l to Add Metadata.
    6. Click to Upload.
    7. Test SAML Setup to verify the profile configuration.
    8. Select the SAML attributes you want Prisma Access to use for authentication and Submit the IdP profile.
  4. Add an authentication profile.
    1. Select AuthenticationAuthentication ProfilesAdd Authentication Profile.
    2. Enter a PROFILE NAME.
    3. Select an Authentication Mode.
    4. Select the Authentication Type from step 3 and Submit.
  5. Add the authentication profile from Cloud Identity Engine to Prisma Access.
    1. In Prisma Access, select ManageConfigurationIdentity ServicesAuthenticationAuthentication Profiles.
      Ensure to set the scope to GlobalProtect or Explicit Proxy mobile users.
    2. Add Profile.
    3. Select Cloud Identity Engine as your Authentication Method.
    4. Enter a Profile Name.
    5. Select the Profile you added in the Cloud Identity Engine app from step 4.
    6. Save the changes.
  6. Attach the authentication to mobile users.
    • For GlobalProtect mobile users
    1. Select ManageService SetupGlobalProtectInfrastructureAdd Authentication.
    2. Select all required fields and the Profile you added to Prisma Access in step 5.
    3. Save the changes.
    4. Move the authentication to the top of the list to prioritize it.
    • For explicit proxy mobile users
    1. Select ManageService SetupExplicit Proxy.
    2. Edit the User Authentication settings.
    3. Create New profile.
    4. Select the Cloud Identity Engine authentication method.
    5. Enter a profile name.
    6. Select the Profile you added to Prisma Access in step 5.
    7. Save the changes.
    8. Move the authentication to the top of the list to prioritize it.
  7. (For GlobalProtect mobile users only) Edit the default browser settings for the GlobalProtect app.
    1. Select the Default app settings.
    2. Go to App ConfigurationShow Advanced OptionsAuthentication.
    3. Select the Use Default Browser for SAML Authentication.
    4. Save the changes.
  8. Push the changes.
  9. (Optional) Verify the user authentication.
    • For GlobalProtect mobile users
    1. Log in to a Windows machine and connect to the GlobalProtect app.
      The default browser takes you to SAML authentication.
    2. Enter the credentials and sign in.
    3. View Settings in the GlobalProtect app to see the connection details.
    4. Log in to Prisma Access and select ActivityLogsLog Viewer.
      You can see that the authentication is successful.
    • For explicit proxy mobile users
    1. Copy the PAC file URL to the endpoint.
      Go to ManageService SetupExplicit ProxyInfrastructure Settings to view the PAC file URL.
    2. Log in to a Windows machine.
    3. Edit the Proxy Settings and paste the PAC file URL to the Script Address.
    4. Access a URL that requires authentication.
    5. Enter the credentials.
    6. In Prisma Access, view the user mapping information by running the show user ip-user-mapping all command.
    7. (Optional) In Strata Cloud Manager, select InsightsActivity InsightsUsers.
      View details about mobile users connected for a time range you select.

Configure Mobile Users using Cloud Identity Engine (Recommended) (Panorama)

The Cloud Identity Engine provides both user identification and user authentication for mobile users in a Prisma Access—GlobalProtect deployment. Using the Cloud Identity Engine for user authentication and username-to-user group mapping allows you to write security policy based on users and groups, not IP addresses, and helps secure your assets by enforcing behavior-based security actions. By continually syncing the information from your directories, the Cloud Identity Engine ensures that your user information is accurate and up to date and policy enforcement continues based on the mappings even if the SAML identity provider (IdP) is temporarily unavailable.