Enable Explicit Proxy Mobile Users to Authenticate to Prisma Access

Define authentication settings for Explicit Proxy mobile users to connect to Prisma Access.
You can use SAML, Cloud Identity Engine (CIE), or Kerberos authentication methods to authenticate Explicit Proxy connections. Follow these steps to set up authentication for Explicit Proxy mobile users.
  1. Go to
    Service Setup
    Explicit Proxy
    Set Up User Authentication
  2. Choose the Authentication Settings:
    • Authentication Method 1
    • Authentication Method 2
    • SAML
      If your users access services and applications that are external to your network, you can use SAML to integrate Prisma Access with an identity provider (IdP) that controls access to both external and internal services and applications. SAML single sign-on (SSO) enables one login to access multiple applications, and is helpful in environments where each user accesses many applications and authenticating for each one would impede user productivity. In this case, SAML single sign-on (SSO) enables one login to access multiple applications. Likewise, SAML single logout (SLO) enables a user to end sessions for multiple applications by logging out of just one session. SSO works for mobile users who access applications through the GlobalProtect app or users at remote networks that access applications through the Authentication Portal. SLO is available to GlobalProtect app users.
    • Cloud Identity Engine
      The Cloud Identity Engine (CIE) provides both user identification and user authentication for mobile users in a Prisma Access—Explicit Proxy deployment. The Cloud Identity Engine integrates with the Explicit Proxy Authentication Cache Service (ACS) and uses SAML identity providers (IdPs) to provide authentication for Explicit Proxy mobile users.
    • Kerberos is an authentication protocol that enables a secure exchange of information between parties using unique keys (called tickets) to identify the parties. With Kerberos, you can authenticate users who access applications through the Authentication Portal. With Kerberos SSO enabled, the user needs to log in only for initial access to your network (such as logging in to Microsoft Windows). After this initial login, the user can access any browser-based service in the network without having to log in again until the SSO session expires. To use Kerberos, you first need a a Kerberos account for Prisma Access that will authenticate users. An account is required to create a Kerberos keytab, which is a file that contains the principal name and hashed password of the firewall or Panorama. The SSO process requires the keytab. Kerberos SSO is available only for services and applications that are internal to your Kerberos environment. To enable SSO for external services and applications, use SAML.
  3. Choose the authentication
    you configured to enable Prisma Access to connect to the service you want to use to authenticate users.
  4. Specify a
    Cookie Lifetime
    for the cookie that stores the users’ authentication credentials.
    After the IdP authenticates the user, Prisma Access stores the authentication state of the user in the Authentication Cache Service (ACS). The validity period of the authentication is based on the
    Cookie Lifetime
    value you specify here.
    To prevent issues with users not being able to download large files before the cookie lifetime expires, or the cookie expiring when users are accessing a single website for a long period of time, Palo Alto Networks recommends that you configure a Cookie Lifetime of at least one day. If Explicit Proxy users have a cookie lifetime expiration issue, they can browse to a different website to re-authenticate to ACS and refresh the ACS cookie.
  5. Click

Recommended For You