Configure SAML Authentication Using Okta as the IdP for Mobile Users

Configure Prisma Access to establish a trust relationship with your Okta IdP for SAML 2.0 authentication of your mobile users.
Prisma Access for users provides enterprise authentication via SAML. When a mobile user attempts to connect, Prisma Access (the SAML service provider, or SP) returns an authentication request to the client browser, which in turn sends it to your SAML identity provider (IdP) to authenticate the user. Use the following procedure to configure a trust relationship between Prisma Access and your Okta IdP:
  1. Complete the steps for defining the Service Provider (SP) settings, including generating or importing the certificate that Prisma Access uses to sign SAML messages that it sends to the identity provider (IdP).
  2. Export the Prisma Access signing certificate so that you can import it onto your IdP.
  3. Log into Okta as an administrator and create and create SAML 2.0 applications for Prisma Access.
    1. Create a new application integration for Prisma Access. Specify the Platform Type as
      Web
      and the sign-on method as
      SAML 2.0
      and click
      Create
      .
    2. Configure the following application integration options:
      • Single sign on URL
        —Enter the URL for the portal (i.e. https://portal114.gpcloudservice.com:443/SAML20/SP/ACS)
      • Use this for Recipient URL and Destination URL
        —Select this check box.
      • Allow this app to request other SSO URLs
        —Select this check box and add the URLs for all Prisma Access gateways on the list you copied in the
        Requestable SSO URLs
        field.
      • Audience URI (SP Entity ID)
        —Enter the URL for the portal (i.e. https://portal114.gpcloudservice.com:443/SAML20/SP).
      • Default RelayState
        —Leave blank.
      • Name ID format
        —Select
        EmailAddress
        .
      • Application username
        —Select
        Okta Username
        .
    3. Select
      Show Advanced Settings
      and configure these settings:
      • Allow application to initiate Single Logout
        —Select this check box.
      • Single Logout URL
        —Enter https://
        <Prisma Access-FQDN>
        :443/SAML20/SP/SLO
        Where
        <Prisma-Access-FQDN>
        is the FQDN you defined for Prisma Access when you set up the environment.
      • SP Issuer
        —Enter the issuer for the service provider.
      • Signature Certificate
        Browse
        to and then select the SAML signing certificate that you exported from Prisma Access, then click
        Upload Certificate
        .
    4. In the ATTRIBUTE STATEMENTS (OPTIONAL) area, specify users, Name formats, and values in Okta Expression Language.
      These fields reference, transform and combine attributes to define the Username attribute format to match what you set up on Prisma Access. For example, specify a name format of
      Basic
      and a Value of
      user.firstName
      .
    5. Optionally, in the Group Attribute Statements (Optional) area, create group attribute options.
      You can’t use group information that’s retrieved from the SAML assertion in either security policy rules or the GlobalProtect app configuration.
    6. Save the configuration.
  4. Complete the configuration of the SAML 2.0 web application in Okta and enable the users to use the application. Click
    View Setup Instructions
    for details.
  5. To download the metadata files for the portal and gateways, click
    Identity Provider metadata
    and copy that information.
  6. Import the metadata file and the CA certificate from Okta into Prisma Access.
    1. Log in to the Prisma Access app on the hub and select
      Configure
      Mobile Users
      Configure
      and
      Edit
      the User Authentication configuration.
    2. In
      SAML IdP Profile
      click
      Add SAML IdP Profile
      and
      Import
      the metadata file you exported from the Okta server.
    3. Save
      the IdP profile.

Recommended For You