1. Home
    2. Prisma
    3. Prisma Access
    4. Prisma Access (Cloud Management)
    5. Third-Party Integrations with Prisma Access
    6. Microsoft Integrations with Prisma Access
    7. Azure AD SAML Authentication for Mobile User Deployments
    8. Configure Mobile Users using Cloud Identity Engine (Recommended)

    Configure Mobile Users using Cloud Identity Engine (Recommended)

    You first configure SAML in Azure AD, then import the metadata XML file (the file that contains SAML registration information) from Azure AD and upload it to a
    SAML Identity Provider
     you create in Prisma Access. You then create an
    Authentication Profile
     that references the IdP server profile, add the authentication profile into the Explicit Proxy or GlobalProtect configuration, and commit and push your changes. We recommend using Cloud Identity Engine to set up the Azure AD SAML authentication.
    If you are a GlobalProtect mobile user, upgrade your GlobalProtect app to 6.0 version or to a later version.
    1. From Prisma Access, open the Cloud Identity Engine app associated with your tenant.
      1. Go to
        Prisma Access
        Tenants and Services
        Cloud Identity Engine
        .
    2. Download the SP Metadata in the Cloud Identity Engine app.
      1. Go to
        Authentication
        Authentication Types
        Add New
        .
      2. Set Up
         a SAML 2.0 authentication type.
      3. Download SP Metadata
        .
      4. Log in to the Azure Portal and select
        Azure Active Directory
        .
        Make sure you complete all the necessary steps in the Azure portal.
        If you have more than one directory,
        Switch directory
         to select the directory you want to use with the Cloud Identity Engine.
      5. Select
        Enterprise applications
         and click
        New application
        .
      6. Search for
        Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service
         and create the Azure AD single-sign on integration.
        Customize the app name if required while creating the application.
      7. After the application loads, select
        Users and groups
        , then
        Add user/group
         to
        Assign
         them to this application.
        Select the users and groups you want to have use the Azure IdP in the Cloud Identity Engine for authentication.
        Be sure to assign the account you are using so you can test the configuration when it is complete. You may need to refresh the page after adding accounts to successfully complete the test.
      8. Set up single sign-on
         then select
        SAML
        .
      9. Upload Metadata File
         by browsing to the metadata file that you downloaded from the Cloud Identity Engine app in 2.c and click
        Add
        .
      10. After the metadata uploads, enter your regional endpoint as the
        Sign-on URL
         using the following format: https://<RegionUrl>.paloaltonetworks.com/sp/acs (where <RegionUrl> is your regional endpoint).
        Alternatively, copy the reply URL to the sign on URL.
      11. Save
         your configuration.
      12. Download
         the
        Federation Metadata XML
         under
        SAML Certificates
        .
    3. Add Azure as an authentication type in the Cloud Identity Engine app.
      1. In Cloud Identity Engine app, select
        Authentication
        Authentication Types
        Add New
        .
      2. Set Up
         a SAML 2.0 authentication type.
      3. Enter a
        Profile Name
        .
      4. Select
        Azure
         as your
        IDP Vendor
        .
      5. Upload Metadata
         from 2.l to
        Add Metadata
        .
      6. Click to Upload
        .
      7. Test SAML Setup
         to verify the profile configuration.
      8. Select the SAML attributes you want Prisma Access to use for authentication and
        Submit
         the IdP profile.
    4. Add an authentication profile.
      1. Select
        Authentication
        Authentication Profiles
        Add Authentication Profile
        .
      2. Enter a
        PROFILE NAME
        .
      3. Select an
        Authentication Mode
        .
      4. Select the
        Authentication Type
         from 3 and
        Submit
        .
    5. Add the authentication profile from Cloud Identity Engine to Prisma Access.
      1. In Prisma Access, select
        Manage
        Configuration
        Identity Services
        Authentication
        Authentication Profiles
        .
        Ensure to set the scope to
        GlobalProtect
         or
        Explicit Proxy
         mobile users.
      2. Add Profile
        .
      3. Select
        Cloud Identity Engine
         as your
        Authentication Method
        .
      4. Enter a
        Profile Name
        .
      5. Select the
        Profile
         you added in the Cloud Identity Engine app from 4.
      6. Save
         the changes.
    6. Attach the authentication to mobile users.
      • For GlobalProtect mobile users
      1. Select
        Manage
        Service Setup
        GlobalProtect
        Infrastructure
        Add Authentication
        .
      2. Select all required fields and the
        Profile
         you added to Prisma Access in 5.
      3. Save
         the changes.
      4. Move the authentication to the top of the list to prioritize it.
      • For explicit proxy mobile users
      1. Select
        Manage
        Service Setup
        Explicit Proxy
        .
      2. Edit the
        User Authentication
         settings.
      3. Create New
         profile.
      4. Select the
        Cloud Identity Engine
         authentication method.
      5. Enter a profile name.
      6. Select the
        Profile
         you added to Prisma Access in 5.
      7. Save
         the changes.
      8. Move the authentication to the top of the list to prioritize it.
    7. (
      For GlobalProtect mobile users only
      ) Edit the default browser settings for the GlobalProtect app.
      1. Select the
        Default
         app settings.
      2. Go to
        App Configuration
        Show Advanced Options
        Authentication
        .
      3. Select the
        Use Default Browser for SAML Authentication
        .
      4. Save
         the changes.
    8. Push
       the changes.
    9. (
      Optional
      ) Verify the user authentication.
      • For GlobalProtect mobile users
      1. Log in to a Windows machine and connect to the GlobalProtect app.
        The default browser takes you to SAML authentication.
      2. Enter the credentials and sign in.
      3. View
        Settings
         in the GlobalProtect app to see the connection details.
      4. Log in to Prisma Access and select
        Activity
        Logs
        Log Viewer
        .
        You can see that the authentication is successful.
      • For explicit proxy mobile users
      1. Copy the PAC file URL to the endpoint.
        Go to
        Manage
        Service Setup
        Explicit Proxy
        Infrastructure Settings
         to view the PAC file URL.
      2. Log in to a Windows machine.
      3. Edit the
        Proxy Settings
         and paste the PAC file URL to the
        Script Address
        .
      4. Access a URL that requires authentication.
      5. Enter the credentials.
      6. In Prisma Access, view the user mapping information by running the
        show user ip-user-mapping all
         command.
      7. (
        Optional
        ) In Prisma Access, select
        Insights
        Mobile Users - Explicit Proxy
        .
        View details about mobile users connected for a time range you select.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo