Configure Mobile Users using Cloud Identity Engine (Recommended) (Strata Cloud Manager)
Focus
Focus
Prisma Access

Cloud Management

Table of Contents


Configure Mobile Users using Cloud Identity Engine (Recommended) (
Strata Cloud Manager
)

You first configure SAML in Azure AD, then import the metadata XML file (the file that contains SAML registration information) from Azure AD and upload it to a
SAML Identity Provider
you create in Prisma Access. You then create an
Authentication Profile
that references the IdP server profile, add the authentication profile into the Explicit Proxy or GlobalProtect configuration, and commit and push your changes.
If you are a GlobalProtect mobile user, upgrade your GlobalProtect app to 6.0 version or to a later version.
  1. From Prisma Access, open the Cloud Identity Engine app associated with your tenant.
    1. Go to
      Prisma Access
      Tenants and Services
      Cloud Identity Engine
      .
  2. Download the SP Metadata in the Cloud Identity Engine app.
    1. Go to
      Authentication
      Authentication Types
      Add New
      .
    2. Set Up
      a SAML 2.0 authentication type.
    3. Download SP Metadata
      .
    4. Log in to the Azure Portal and select
      Azure Active Directory
      .
      Make sure you complete all the necessary steps in the Azure portal.
      If you have more than one directory,
      Switch directory
      to select the directory you want to use with the Cloud Identity Engine.
    5. Select
      Enterprise applications
      and click
      New application
      .
    6. Search for
      Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service
      and create the Azure AD single-sign on integration.
      Customize the app name if required while creating the application.
    7. After the application loads, select
      Users and groups
      , then
      Add user/group
      to
      Assign
      them to this application.
      Select the users and groups you want to have use the Azure IdP in the Cloud Identity Engine for authentication.
      Be sure to assign the account you are using so you can test the configuration when it is complete. You may need to refresh the page after adding accounts to successfully complete the test.
    8. Set up single sign-on
      then select
      SAML
      .
    9. Upload Metadata File
      by browsing to the metadata file that you downloaded from the Cloud Identity Engine app in step 2.c and click
      Add
      .
    10. After the metadata uploads, enter your regional endpoint as the
      Sign-on URL
      using the following format: https://<RegionUrl>.paloaltonetworks.com/sp/acs (where <RegionUrl> is your regional endpoint).
      Alternatively, copy the reply URL to the sign on URL.
    11. Save
      your configuration.
    12. Download
      the
      Federation Metadata XML
      under
      SAML Certificates
      .
  3. Add Azure as an authentication type in the Cloud Identity Engine app.
    1. In Cloud Identity Engine app, select
      Authentication
      Authentication Types
      Add New
      .
    2. Set Up
      a SAML 2.0 authentication type.
    3. Enter a
      Profile Name
      .
    4. Select
      Azure
      as your
      IDP Vendor
      .
    5. Upload Metadata
      from step 2.l to
      Add Metadata
      .
    6. Click to Upload
      .
    7. Test SAML Setup
      to verify the profile configuration.
    8. Select the SAML attributes you want Prisma Access to use for authentication and
      Submit
      the IdP profile.
  4. Add an authentication profile.
    1. Select
      Authentication
      Authentication Profiles
      Add Authentication Profile
      .
    2. Enter a
      PROFILE NAME
      .
    3. Select an
      Authentication Mode
      .
    4. Select the
      Authentication Type
      from step 3 and
      Submit
      .
  5. Add the authentication profile from Cloud Identity Engine to Prisma Access.
    1. In Prisma Access, select
      Manage
      Configuration
      Identity Services
      Authentication
      Authentication Profiles
      .
      Ensure to set the scope to
      GlobalProtect
      or
      Explicit Proxy
      mobile users.
    2. Add Profile
      .
    3. Select
      Cloud Identity Engine
      as your
      Authentication Method
      .
    4. Enter a
      Profile Name
      .
    5. Select the
      Profile
      you added in the Cloud Identity Engine app from step 4.
    6. Save
      the changes.
  6. Attach the authentication to mobile users.
    • For GlobalProtect mobile users
    1. Select
      Manage
      Service Setup
      GlobalProtect
      Infrastructure
      Add Authentication
      .
    2. Select all required fields and the
      Profile
      you added to Prisma Access in step 5.
    3. Save
      the changes.
    4. Move the authentication to the top of the list to prioritize it.
    • For explicit proxy mobile users
    1. Select
      Manage
      Service Setup
      Explicit Proxy
      .
    2. Edit the
      User Authentication
      settings.
    3. Create New
      profile.
    4. Select the
      Cloud Identity Engine
      authentication method.
    5. Enter a profile name.
    6. Select the
      Profile
      you added to Prisma Access in step 5.
    7. Save
      the changes.
    8. Move the authentication to the top of the list to prioritize it.
  7. (
    For GlobalProtect mobile users only
    ) Edit the default browser settings for the GlobalProtect app.
    1. Select the
      Default
      app settings.
    2. Go to
      App Configuration
      Show Advanced Options
      Authentication
      .
    3. Select the
      Use Default Browser for SAML Authentication
      .
    4. Save
      the changes.
  8. Push
    the changes.
  9. (
    Optional
    ) Verify the user authentication.
    • For GlobalProtect mobile users
    1. Log in to a Windows machine and connect to the GlobalProtect app.
      The default browser takes you to SAML authentication.
    2. Enter the credentials and sign in.
    3. View
      Settings
      in the GlobalProtect app to see the connection details.
    4. Log in to Prisma Access and select
      Activity
      Logs
      Log Viewer
      .
      You can see that the authentication is successful.
    • For explicit proxy mobile users
    1. Copy the PAC file URL to the endpoint.
      Go to
      Manage
      Service Setup
      Explicit Proxy
      Infrastructure Settings
      to view the PAC file URL.
    2. Log in to a Windows machine.
    3. Edit the
      Proxy Settings
      and paste the PAC file URL to the
      Script Address
      .
    4. Access a URL that requires authentication.
    5. Enter the credentials.
    6. In Prisma Access, view the user mapping information by running the
      show user ip-user-mapping all
      command.
    7. (
      Optional
      ) In Prisma Access, select
      Insights
      Mobile Users - Explicit Proxy
      .
      View details about mobile users connected for a time range you select.


Recommended For You