Enable Explicit Proxy Mobile Users to Authenticate to Prisma Access

Define authentication settings for Explicit Proxy mobile users to connect to Prisma Access.
You can use SAML or Kerberos authentication methods to authenticate Explicit Proxy mobile users. Follow these steps to set up authentication for Explicit Proxy mobile users.
  1. Go to
    Service Setup
    Explicit Proxy
    Set Up User Authentication
  2. Choose your
    Authentication Method
    for authentication method 1 and authentication method 2:
    • SAML
      If your users access services and applications that are external to your network, you can use SAML to integrate Prisma Access with an identity provider (IdP) that controls access to both external and internal services and applications. SAML single sign-on (SSO) enables one login to access multiple applications, and is helpful in environments where each user accesses many applications and authenticating for each one would impede user productivity. In this case, SAML single sign-on (SSO) enables one login to access multiple applications. Likewise, SAML single logout (SLO) enables a user to end sessions for multiple applications by logging out of just one session. SSO works for mobile users who access applications through the GlobalProtect app or users at remote networks that access applications through the Authentication Portal. SLO is available to GlobalProtect app users.
    • Kerberos
      Kerberos is an authentication protocol that enables a secure exchange of information between parties using unique keys (called tickets) to identify the parties. With Kerberos, you can authenticate users who access applications through the Authentication Portal. With Kerberos SSO enabled, the user needs to log in only for initial access to your network (such as logging in to Microsoft Windows). After this initial login, the user can access any browser-based service in the network without having to log in again until the SSO session expires. To use Kerberos, you first need a a Kerberos account for Prisma Access that will authenticate users. An account is required to create a Kerberos keytab, which is a file that contains the principal name and hashed password of the firewall or Panorama. The SSO process requires the keytab. Kerberos SSO is available only for services and applications that are internal to your Kerberos environment. To enable SSO for external services and applications, use SAML.
  3. Choose the authentication
    to enable Prisma Access to connect to the service you want to use to authenticate users.
  4. Specify a
    Cookie Lifetime
    for the cookie that stores the users’ authentication credentials. Typical lifetime is 24 hours for gateways, which protect sensitive information—or 15 days for the portal. The range for hours is 1-72; for weeks, 1-52; and for days, 1-365. After the cookie expires on either the portal or gateway (whichever occurs first), the portal or gateway prompts the user to authenticate, and subsequently encrypts a new cookie to send to the endpoint.
  5. Click

Recommended For You