Authenticate Panorama Managed Prisma Access Explicit Proxy Mobile
Users With the Cloud Identity Engine
Use the Cloud Authentication (CAS) component of the Cloud
Identity Engine to authenticate Prisma Access mobile users in a
Mobile Users—Explicit Proxy deployment.
The Cloud Identity Engine provides
both user identification and user authentication for mobile users
in a Prisma Access—Explicit Proxy deployment. The Cloud Identity
Engine integrates with the Explicit Proxy Authentication Cache Service
(ACS) and uses SAML identity providers (IdPs) to provide
authentication for Explicit Proxy mobile users.
To configure
the Cloud Authentication Service to authenticate Explicit Proxy
mobile users, you must have the following minimum required product
and software versions:
- A minimum Prisma Access version of 3.2 (either Preferred or Innovation).
- A minimum Panorama version of 10.1.3.
- A minimum dataplane version of 10.1.3.To verify your dataplane version, select and view theCurrent Dataplane versionin theDataPlane PAN-OS versionarea. If your dataplane version is lower than 10.1.3, reach out to your Palo Alto Networks account representative and submit a request.
- A SAML IdP provider that is supported with the Cloud Identity Engine.All IdP providers that are supported by the Cloud Identity Engine are supported, including Azure, Okta, PingOne, PingFederate, and Google.
To
configure authentication for a Mobile Users—Explicit Proxy deployment
using the Cloud Identity Engine, complete the following steps.
- From the Panorama that manages Prisma Access, set up and configure a Mobile Users—Explicit Proxy deployment.Before you configure Explicit Proxy guidelines, be aware of how explicit proxy works and how explicit proxy identifies users, go through the planning checklist, and learn how to set up the Explicit Proxy PAC file.
- From the Panorama that manages Prisma Access, install the Panorama device certificate.You must generate a one-time password (OTP) and retrieve the device certificate to successfully authenticate Panorama with the Cloud Identity Engine.
- Log into the Customer Support Portal to generate the One Time Password (OTP).
- Select andGenerate OTP.
- For theDevice Type, selectGenerate OTP for PanoramaandGenerate OTP.
- Select thePanorama Deviceserial number.
- Generate OTPandCopy to Clipboard.
- From the Panorama that manages Prisma Access, select andGet certificate.
When you have successfully installed the certificate, theCurrent Device Certificate Status() displays asValid.
- From the hub, activate the Cloud Identity Engine if you have not yet done so to create your first instance.
- Log in to the hub.
- Activatethe Cloud Identity Engine.If the Activate button is not available, ensure that your role has the necessary privileges.
- Enter the information for your Cloud Identity Engine instance.
- Select theCompany Accountfor the instance.
- Specify anNameto identify the instance.
- (Optional) Enter aDescriptionto provide more information about the Cloud Identity Engine instance (for example, details about the instance’s purpose).
- Select aRegion.Make a note of the region; you specify the same region when you create an authentication profile in Panorama.
- Agree to theEULA.
- Agree & Activatethe instance.
- On the Activation Details page, select the hub in the upper left.
- TheCloud Identity Enginedisplays.
- (Optional) If you require a separate instance for Explicit Proxy, configure a Cloud Identity Engine Instance.If you want to isolate your Explicit Proxy directory data, or allow different Palo Alto Networks cloud applications and services to access different sets of directory data, you can create a Cloud Identity Engine instance specifically for Explicit Proxy.
- Log in to the hub.
- Click the gear in the upper right corner of the page to manage the settings; then, selectManage Appsand clickAdd Instance.
- Configure the instance.
- Select theCompany Accountfor the instance.
- Specify anNameto identify the instance.
- (Optional) Enter aDescriptionto provide more information about the Cloud Identity Engine instance (for example, details about the instance’s purpose).
- Select aRegion.Make a note of the region; you specify the same region when you create an authentication profile in Panorama.
- Agree to theEULA.
- Agree & Activatethe instance.
- From the Cloud Identity Engine app, configure a SAML 2.0 IdP in the Cloud Identity Engine.The Cloud Identity Engine Getting Started guide has the procedures you need to configure a SAML IdP in the Cloud Identity Engine:Do not configure single logout, it is not supported. .
- Set up an authentication profile in the Cloud Identity Engine and select the users and groups that can use this authentication method.You specify this profile when you create an authentication profile in Panorama in a later step.
- Return to the Panorama that manages Prisma Access and configure an authentication profile to use with the Cloud Authentication Engine.
- Select andAddan authentication profile.Be sure that you are in theExplicit_Proxy_Template.
- Enter aNamefor the Authentication profile.
- SelectCloud Authentication Serviceas theType.
- Select theRegionof your Cloud Identity Engine instance.Specify the same region you used when you created your Cloud Authentication Engine instance.
- Select the Cloud Identity EngineInstanceto use for this Authentication profile.
- Select an authenticationProfilethat specifies the authentication type you want to use to authenticate users.Specify the authentication profile you created in the Cloud Identity Engine.
- Specify theMaximum Clock Skew (seconds), which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
- (Optional) If the profile you selected has multi-factor authentication (MFA) enabled, selectForce multi-factor authentication in cloud.Selecting this option means that the IdP (for example, Okta) specified by the profile is responsible for performing MFA. If you select this check box and incorrect MFA information is received from the Cloud Identity Engine, authentication fails.
- ClickOK.
- Allow the necessary authentication traffic to be passed to Explicit Proxy.
- Create a URL list as a custom URL category to allow the necessary traffic for the Cloud Identity Engine.
- Add the following Cloud Identity Engine URLs to the URL category.If you do not need to strictly limit traffic to your region, you can enter*.apps.paloaltonetworks.com. Otherwise, determine your region-based URL using theshow cloud-auth-service-regionscommand in the Cloud Identity Engine to display the URLs for the region associated with your Cloud Identity Engine instance and enter each region-based URL. The following table includes the URLs for each region:RegionCloud Identity Engine Region-Based URLUnited Statescloud-auth.us.apps.paloaltonetworks.comcloud-auth-service.us.apps.paloaltonetworks.comEuropecloud-auth.nl.apps.paloaltonetworks.comcloud-auth-service.nl.apps.paloaltonetworks.comUnited Kingdomcloud-auth.uk.apps.paloaltonetworks.comcloud-auth-service.uk.apps.paloaltonetworks.comSingaporecloud-auth.sg.apps.paloaltonetworks.comcloud-auth-service.sg.apps.paloaltonetworks.comCanadacloud-auth.ca.apps.paloaltonetworks.comcloud-auth-service.ca.apps.paloaltonetworks.comJapancloud-auth.jp.apps.paloaltonetworks.comcloud-auth-service.jp.apps.paloaltonetworks.comAustraliacloud-auth.au.apps.paloaltonetworks.comcloud-auth-service.au.apps.paloaltonetworks.comGermanycloud-auth.de.apps.paloaltonetworks.comcloud-auth-service.de.apps.paloaltonetworks.comUnited States - Governmentcloud-auth-service.gov.apps.paloaltonetworks.comcloud-auth.gov.apps.paloaltonetworks.comIndiacloud-auth-service.in.apps.paloaltonetworks.comcloud-auth.in.apps.paloaltonetworks.com
- Enter the URLs that your IdP requires for user authentication (for example,*.okta.com) in the custom URL category.
- Create a security policy rule to allow traffic to the authentication type and Cloud Identity Engine and select the custom URL category as the match criteria.
- Specify the authentication profile for Explicit Proxy.
- Select .
- Select theConnection Name.
- Specify the Cloud Identity EngineAuthentication Profile.
- Commit and Pushyour changes.
- Verify that the Cloud Identity Engine is successfully authenticating your Explicit Proxy mobile users.
- From the Panorama that manages Prisma Access, select .
- View theEventstatus.
If the authentication fails, view theDescriptionfor more details about the failure.
- From the mobile user’s endpoint, use dev tools to view the Cloud Identity Engine authentication flow.
