Enable Mobile Users to Authenticate to Prisma Access
Define authentication settings for mobile users to connect
to Prisma Access.
You can authenticate mobile users to Prisma
Access using any of the supported authentication types.
Follow these steps to set up authentication for GlobalProtect or
Explicit Proxy mobile users; find more information about setting
up authentication for Explicit Proxy deployments here.
- Go to and go to either your GlobalProtect or Explicit Proxy configuration andSet Up User Authentication.
- Choose yourAuthentication Methodfrom the supported authentication types.If you haven’t already integrated Prisma Access with your authentication services, here’s how.
- Specify certificate authentication settings:
- Certificate AuthenticationFor enhanced security, use a certificate (in addition to your authentication service) to obtain usernames and authenticate users to Prisma Access. To authenticate users based on a client certificate, one of the certificate fields, such as the Subject Name field, must identify the username. Mobile users that successfully authenticate through client certificate authentication, do not have the option to sign out of the GlobalProtect app.With Prisma Access, you can choose to require for mobile users to pass both certificate authentication and authentication based on the authentication type or to grant access to mobile users as long as they’ve successfully passed only one of those checks.
- Certificate ProfileUse an optional certificate profile to verify the certificates mobile users present to Prisma Access with a connection request. The certificate profile specifies the contents of the username and user domain fields; lists CA certificates; criteria for blocking a session; and offers ways to determine the revocation status of CA certificates. Because the certificate is part of the authentication for the mobile user, you must pre-deploy certificates used in certificate profiles to your users before their initial login.The certificate profile specifies which certificate field contains the username (Subject or Subject Alt). If the certificate profile specifies Subject in the Username Field, the certificate presented by the endpoint must contain a common-name for the endpoint to connect. If the certificate profile specifies a Subject-Alt with an Email or Principal Name as the Username Field, the certificate must contain the corresponding fields, which will be used as the username when the GlobalProtect app authenticates to Prisma Access.
