Authenticate Panorama Managed Prisma Access GlobalProtect Mobile Users With the Cloud Identity Engine

Use the Cloud Authentication (CAS) component of the Cloud Identity Engine to authenticate Prisma Access mobile users in a Mobile Users—GlobalProtect deployment.
This functionality is only available for Panorama Managed Prisma Access 3.0 Innovation and later Innovation deployments.
The Cloud Identity Engine provides both user identification and user authentication for mobile users in a Prisma Access—GlobalProtect deployment. Using the Cloud Identity Engine for user authentication and username-to-user group mapping allows you to write security policy based on users and groups, not IP addresses, and helps secure your assets by enforcing behavior-based security actions. By continually syncing the information from your directories, the Cloud Identity Engine ensures that your user information is accurate and up to date and policy enforcement continues based on the mappings even if the SAML identity provider (IdP) is temporarily unavailable.
The Cloud Identity Engine has two components to provide authentication and enforcement of user- and group-based policy:
  • The
    Cloud Authentication Service
    component allows you to authenticate mobile users in a Prisma Access—GlobalProtect deployment. You configure a SAML identity IdP during configuration of the Cloud Identity Engine to use with the Cloud Authentication Service.
  • The
    Directory Sync
    component provides username-to-user group mapping for the authenticated user. You can use this mapping to enforce user- and group-based policy in Prisma Access.
To configure the Cloud Authentication Service to authenticate GlobalProtect mobile users, you must have the following minimum required product and software versions:
  • A minimum Prisma Access version of 3.0 Innovation or a later Innovation version, which requires a dataplane version of 10.1.
    To verify your dataplane version, select
    Panorama
    Cloud Services
    Configuration
    Service Setup
    and view the
    Current Dataplane version
    in the
    DataPlane PAN-OS version
    area.
    If your dataplane is running 10.1, you are running the Prisma Access 3.0 Innovation or later Innovation release and can use the Cloud Identity Engine to authenticate GlobalProtect mobile users. If your dataplane is running 10.0, you are running a Prisma Access Preferred release and you cannot authenticate mobile users with the Cloud Identity Engine.
  • A minimum GlobalProtect app version of 6.0.
  • A SAML IdP provider that is supported with the Cloud Identity Engine.
    Prisma Access supports all IdP providers that are supported by the Cloud Identity Engine, including Azure, Okta, PingOne, PingFederate, and Google.
  • A minimum Panorama version of 10.1.
To configure authentication for a mobile users using the Cloud Authentication Engine, complete the following steps.
  1. Install the device certificate on the Panorama that manages Prisma Access.
    You must generate a one-time password (OTP) and retrieve the device certificate to successfully authenticate Panorama with the Cloud Identity Engine.
    1. Log into the Customer Support Portal to generate the One Time Password (OTP).
    2. Select
      Assets
      Device Certificates
      and
      Generate OTP
      .
    3. For the
      Device Type
      , select
      Generate OTP for Panorama
      and
      Generate OTP
      .
    4. Select the
      Panorama Device
      serial number.
    5. Generate OTP and copy the OTP.
      and copy the OTP.
    6. From the Panorama that manages Prisma Access, select
      Panorama
      Setup
      Management
      Device Certificate Settings
      and
      Get certificate
      .
      When you have successfully installed the certificate, the
      Current Device Certificate Status
      (
      Panorama
      Setup
      Management
      Device Certificate
      ) displays as
      Valid
      .
  2. Activate the Cloud Identity Engine if you have not yet done so to create your first instance.
    1. Activate
      the Cloud Identity Engine.
      If the Activate button is not available, ensure that your role has the necessary privileges.
    2. Enter the information for your Cloud Identity Engine instance.
      • Select the
        Company Account
        for the instance.
      • Specify a
        Name
        to identify the instance.
      • (
        Optional
        ) Enter a
        Description
        to provide more information about the Cloud Identity Engine instance (for example, details about the instance’s purpose).
      • Select a
        Region
        .
        Make a note of the region you selected; you use that region when you activate the Cloud Identity Engine in a later step.
      • Agree to the
        EULA
        .
    3. Agree & Activate
      the instance.
    4. On the Activation Details page, select the hub in the upper left.
    5. The
      Cloud Identity Engine
      displays.
  3. (
    Optional
    ) If you require a separate instance for Explicit Proxy, configure a Cloud Identity Engine Instance.
    If you want to isolate your Explicit Proxy directory data, or allow different Palo Alto Networks cloud applications and services to access different sets of directory data, you can create a Cloud Identity Engine instance specifically for Explicit Proxy.
    When you select a
    Region
    , select the same region you used when you activated the Cloud Identity Engine.
  4. From the Cloud Identity Engine app, configure a SAML IdP in the Cloud Identity Engine.
    The Cloud Identity Engine Getting Started guide has the procedures you need to configure a SAML IdP in the Cloud Identity Engine:
    Use the following values in the when configuring Explicit Proxy authentication in your IdP:
    • Single sign on URL:
      global.acs.prismaaccess.com
    • SAML Assertion Consumer Service URL:
      https://global.acs.prismaaccess.com/saml/acs
    • Entity ID URL:
      https://global.acs.prismaaccess.com/saml/metadata
  5. Configure an authentication profile to use with the Cloud Authentication Service.
    Be sure that you are in the
    Mobile_User_Template
    . By setting up an authentication profile in Panorama, you can redirect GlobalProtect mobile users to the IdP you configure for authentication.
  6. Change the pre-deployed settings on mobile users’ Windows, macOS, Linux, Android, and iOS endpoints to use the default system browser for SAML authentication.
    You must set the pre-deployed settings on the client endpoints before you can enable the default system browser for SAML authentication. GlobalProtect retrieves these entries only once, when the GlobalProtect app initializes.
    If there is no pre-deployed value specified on the end users’ Windows or macOS endpoints when using the default system browser for SAML authentication, the
    Use Default Browser for SAML Authentication
    option is set to
    Yes
    in the portal configuration, and users upgrade the app from release 5.0.x or release 5.1.x to release 5.2.0 for the first time, the app will open an embedded browser instead of the default system browser. After users connect to the GlobalProtect app and the
    Use Default Browser for SAML Authentication
    option is set to
    Yes
    in the portal configuration, the app will open the default system browser on Windows and macOS endpoints at the next login.
    If the
    default browser
    value is set to
    Yes
    in the pre-deployed setting of the client machine and the
    Use Default Browser for SAML Authentication
    option is set to
    No
    in the portal configuration, end users will not have the best user experience. The app will open the default system browser for SAML authentication for the first time. Because the default browser values differ between the client machine and the portal, the app detects a mismatch and opens an embedded browser at the next login.
    The
    Use Default Browser for SAML Authentication
    option of the GlobalProtect portal and the pre-deployed settings in the client machine must have the same value to provide the best user experience.
    • On Windows endpoints, you can use the System Center Configuration Manager (SCCM) to pre-deploy the GlobalProtect app 5.2 and set the
      DEFAULTBROWSER
      value to
      yes
      from the Windows Installer (Msiexec) using the following syntax:
      msiexec.exe /i GlobalProtect.msi DEFAULTBROWSER=YES
    • On macOS endpoints, set the
      default-browser
      value to
      yes
      in the macOS plist (
      /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
      ) for the GlobalProtect app using the following syntax:
      sudo defaults write /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist ’{"Palo Alto Networks" ={GlobalProtect={Settings={default-browser=yes;};};};}’
      You must specify the plist key to launch the default system browser for SAML authentication after GlobalProtect app 5.2 is installed.
      After you add the plist key, you must restart the GlobalProtect app in order for the plist key to take effect. After you restart the GlobalProtect app, the default system browser for SAML authentication launches. To restart the GlobalProtect app:
      • Launch the Finder.
      • Open the Applications folder by selecting
        Applications
        from the Finder sidebar.
        If you do not see
        Applications
        in the Finder sidebar, select
        Go
        Applications
        from the Finder menu bar.
      • Open the Utilities folder.
      • Launch Terminal.
      • Execute the following commands:
        username>$ launchctl unload -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist username>$ launchctl unload -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist username>$ launchctl load -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist username>$ launchctl load -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist
    • On Linux endpoints, set the
      default-browser
      value to
      yes
      in the
      /opt/paloaltonetworks/globalprotect/pangps.xml
      pre-deployment configuration file under
      <Settings>
      . After you add the
      default-browser
      value, follow the pre-deployment instructionsbefore you reboot the Linux endpoint in order for the change to take effect.
    • On Android and iOS endpoints, create a VPN profile by using the supported mobile device management system (MDM) such as Airwatch.
      • Log in to Airwatch as an administrator.
      • Select an existing VPN profile (
        Devices
        Profiles & Resources
        Profiles
        ) in the list.
      • Select
        VPN
        to add a VPN profile.
        On Android endpoints, enter the
        Custom Data Key
        (
        use_default_browser_for_saml
        ). Enter the
        Custom Data Value
        (
        true
        ).
        On iOS endpoints, enter the
        Custom Data Key
        (
        saml-use-default-browser
        ). Enter the
        Custom Data Value
        (
        true
        ).
      • Click
        Save and Publish
        to save your changes.
  7. Configure the Prisma Access portal to use Cloud Identity Engine authentication.
    1. In the
      Mobile_User_Template
      , select
      Network
      GlobalProtect
      Portals
      GlobalProtect_Portal
      Authentication
      .
    2. Select the
      Default
      GlobalProtect portal configuration.
    3. Select the
      Authentication Profile
      you created for Cloud Identity Engine authentication and click
      OK
      .
    4. Select
      Agent
      , then select the
      Default
      agent.
    5. (
      Optional
      ) If you have on-premises GlobalProtect gateways and want the Prisma Access gateway to generate a cookie to override authentication for on-premises gateways, select
      Generate cookie for authentication override
      .
    6. (
      Optional
      ) If you want Prisma Access to accept cookies from on-premises gateways that allows them to override authentication for Prisma Access, select
      Accept cookie for authentication override
      .
    7. Click
      OK
      .
    8. In the
      App
      settings, make sure that
      Use Default Browser for SAML Authentication
      is set to
      Yes
      .
      Selecting this portal setting ensures that mobile users can leverage the same login for GlobalProtect with their saved user credentials on the default system browser such as Chrome, Firefox, or Safari.
    9. Click
      OK
      .
  8. Configure the Prisma Access gateway to use Cloud Identity Engine authentication.
    1. In the
      Mobile_User_Template
      , select
      Network
      GlobalProtect
      Gateways
      GlobalProtect_External_Gateway
      .
    2. Select
      Authentication
      .
    3. Select the
      Default
      authentication profile.
    4. Select the
      Authentication Profile
      you created for Cloud Identity Engine authentication and click
      OK
      .
    5. Select
      Agent
      Client Settings
      , then select the
      Default
      configuration.
    6. (
      Optional
      ) Select
      Generate cookie for authentication override
      and
      Accept cookie for authentication override
      .
      When you use the Cloud Identity Engine for authentication, Palo Alto Networks recommends that you allow authentication cookie overrides on gateways, since you have already configured authentication on the portal. If you do not configure cookie overrides on the gateway, two authentication pages display on the mobile user’s default browser when they log in to a gateway—one page for portal authentication and one page for gateway authentication.
    7. Click
      OK
      .
  9. Complete the Cloud Identity Engine configuration in Panorama.
    1. Select
      Panorama
      Setup
      Management
      and
      Edit
      the
      Authentication Settings
      , then select the
      Authentication Profile
      you created in Step 5.
    2. Select
      Panorama
      Device Groups
      and
      Add
      or
      Edit
      a device group.
    3. Select the
      Cloud Identity Engine
      and
      Add
      the Cloud Identity Engine instance you want to associate with Panorama; then, click
      OK
      .
  10. Commit and Push
    your changes.
  11. Verify that the Cloud Identity Engine is successfully authenticating your mobile users.
    1. On a mobile user endpoint, open the GlobalProtect app (minimum GlobalProtect version of 6.0 required).
    2. If prompted,
      Get Started
      .
    3. Enter the
      Portal
      URL in the app and
      Connect
      to it.
    4. When you are challenged for authentication, verify that you are redirected to the SAML IdP and are presented with a login page.
      After you successfully authenticate to the SAML IdP, it redirects you to Prisma Access. Prisma Access then validates the SAML responses from the SAML IdP and the mobile user is able to log in to the GlobalProtect portal.
    5. Enter your credentials to log in.
    6. After you have successfully logged in,
      Open GlobalProtect
      in the browser or, if you are provided with a URL,
      Click Here
      to open the GlobalProtect app.
    7. If your system browser prompts you to allow opening GlobalProtect in the browser,
      Allow
      it.
    8. Verify that you receive a banner from the GlobalProtect app, indicating that you are
      Connected
      to GlobalProtect and showing the GlobalProtect
      Portal
      and
      Gateway
      .
    9. (
      Optional
      ) To see more information about the GlobalProtect connection, select
      Settings
      from the GlobalProtect app.
      From this area, you can see the user that is logged in, view connection statistics and notifications, and download GlobalProtect logs for
      Troubleshooting
      .

Recommended For You