Authentication Support and Features
See the services and methods you can use with Prisma
Access to authenticate users accessing enterprise applications and
protected resources.
Here are the services Prisma Access integrates with
to provide authentication, and features to consider when you are
planning your authentication set up.
Authentication Support:
Authentication Feature Highlights:
Authentication Support
SAML | If your users access services and applications
that are external to your network, you can use SAML to integrate
Prisma Access with an identity provider (IdP) that controls access
to both external and internal services and applications. SAML single
sign-on (SSO) enables one login to access multiple applications,
and is helpful in environments where each user accesses many applications
and authenticating for each one would impede user productivity.
In this case, SAML single sign-on (SSO) enables one login to access
multiple applications. Likewise, SAML single logout (SLO) enables
a user to end sessions for multiple applications by logging out
of just one session. SSO works for mobile users who access applications through
the GlobalProtect app or users at remote networks that access applications
through the Authentication Portal. SLO is available to GlobalProtect
app users. You cannot use SAML authentication profiles
in authentication sequences. |
TACACS+ | Terminal Access Controller Access-Control
System Plus (TACACS+) is a family of protocols that enable authentication and
authorization through a centralized server. TACACS+ encrypts usernames
and passwords, making it more secure than RADIUS, which encrypts
only passwords. TACACS+ is also more reliable because it uses TCP,
whereas RADIUS uses UDP. |
RADIUS | Remote Authentication Dial-In User Service
(RADIUS) is a broadly supported networking protocol that provides centralized
authentication and authorization. You can also add a RADIUS server
to Prisma Access to implement multi-factor authentication. |
LDAP | Lightweight Directory Access Protocol (LDAP)
is a standard protocol for accessing information directories. You
can use LDAP to authenticate users who access applications or services
through Authentication Portal. |
Kerberos | Kerberos is an authentication protocol that
enables a secure exchange of information between parties using unique keys
(called tickets) to identify the parties. With Kerberos, you can
authenticate users who access applications through the Authentication
Portal. With Kerberos SSO enabled, the user needs to log in only
for initial access to your network (such as logging in to Microsoft
Windows). After this initial login, the user can access any browser-based
service in the network without having to log in again until the
SSO session expires. To use Kerberos, you first need a a Kerberos
account for Prisma Access that will authenticate users. An account
is required to create a Kerberos keytab, which is a file that contains
the principal name and hashed password of the firewall or Panorama.
The SSO process requires the keytab. Kerberos SSO is available
only for services and applications that are internal to your Kerberos
environment. To enable SSO for external services and applications,
use SAML. |
Cloud Identity Engine | The Cloud Identity Engine (CIE) provides
both user identification and user authentication for mobile users
in a Prisma Access—Explicit Proxy deployment. The Cloud Identity Engine
integrates with the Explicit Proxy Authentication Cache Service
(ACS) and uses SAML identity providers (IdPs) to provide authentication
for Explicit Proxy mobile users. |
MFA | Muti-factor authentication (MFA) gives you
a way to implement multiple authentication challenges of different
types (these are called factors ) to protect your most sensitive
services and applications. For example, you might want stronger
authentication for key financial documents than for search engines.Prisma
Access has a built-in list of supported MFA vendors, that’s automatically
updated as new vendors are added:  |
Local Database Authentication | Create a database that runs locally on Prisma
Access and contains user accounts (usernames and passwords or hashed passwords).
This type of authentication is useful for creating user accounts
that reuse the credentials of existing Unix accounts in cases where
you know only the hashed passwords, not the plaintext passwords.
For accounts that use plaintext passwords, you can also define password
complexity and expiration settings. This authentication method is
available to users who access services and applications through
the Authentication Portal or the GlobalProtect app. |
Authentication Feature Highlights
SSO | If you’re using SAML or Kerberos, you can
implement single sign-on (SSO), which enables users to authenticate
only once for access to multiple services and applications. SAML and
Kerberos support SSO. |
Authentication Portal | Redirect web requests that match an authentication
rule to a Prisma Access login page where they’re prompted to authenticate.
Prisma Access uses the information the user submits to this authentication
portal to create or update IP address to user name mappings. This
is especially useful for remote networks, so that you continue to
have monitor and enforce traffic based on a user (or group). When
a user initiates web traffic (HTTP or HTTPS) that matches an authentication
rule, Prisma Access prompts the user to authenticate through the
authentication portal. Prisma Access creates or updates the IP address
to username mapping based on the information the user submits to
the portal. This ensures that you know exactly who at a remote network
site is accessing your most sensitive applications and data. |
Authentication Sequence | If you use multiple types of authentication
for different purposes, you can set an authentication sequence to
rank your profiles. Prisma Access checks each profile based on your ranking
until one successfully authenticates the user. |
