Configure VPN Reverse Proxy for SaaS Security
You can use Prisma Access to control access to your network from mobile users’ unsanctioned devices. This configuration uses the Aperture feature of SAML redirection by proxy instead of directly exposing the SaaS app or your network, removing all possible vulnerabilities to data exfiltration and malware propagation. Configuring this feature in Prisma SaaS (formerly Aperture) and in Prisma Access allows you to control unsanctioned and mobile user-owned device access to your network and redirects device traffic to Prisma Access for inspection without putting your network or data at risk.
This feature requires the use of Prisma SaaS integrated with a Secure Assertion Markup Language (SAML) provider.
The following example uses Okta as the SAML provider. Palo Alto Networks has tested this feature with Okta, ADFS, Azure AD, Ping One, and Shibboleth. Note that Office 365 with Azure AD as the IdP is currently not supported.
To configure this feature, complete the following task.
This task describes in detail the Prisma Access-specific steps and provides only summary steps for the Prisma SaaS and Okta part of the configuration. For detailed steps to configure the app integration with Prisma SaaS and Okta, see Add Unsanctioned Device Access Control to Prisma SaaS in the Prisma SaaS Administrator’s Guide.
- Log in to Okta and create two apps:
- Create one app for Prisma SaaS.
- Create one app for the SaaS app that you want mobile users to access from their unsanctioned devices.
- You need the URL to direct users to sign in and use the app you created and you need the certificate to validate SAML signatures when using single sign-on (SSO).
- In Prisma SaaS, add Okta as an Identity Provider (IdP), using the URLs you received from Okta.
- Make a note of theGateway Settingsand download theIdentity Provider Certificatein Prisma SaaS.
- In Prisma SaaS, select.SettingsUnmanaged Device Access ControlSAML Proxy
- In theIdentity Provider Settingsarea, select.ActionsEdit
- Download and save theIdentity Provider Certificate.
- Make a note of theIDP Entity ID.IDP SSO URL, andIDP SLO URL.
- ClickCancelafter you’re retrieved the configuration details.
- Log in to Panorama and make a note of the Prisma Access API key and portal name.
- API key—Select, click thePanoramaCloud ServicesConfigurationService Setuptab in thePrisma Accessarea, then selectGenerate API Keyand make a note of theCurrent Key.If there is no key, clickGenerate New API Keyto create one.
- Portal name—Selectand make a note of thePanoramaCloud ServicesConfigurationMobile UsersHostnamethat is used for the Prisma Access portal.To configure the portal, configure Prisma Access for Users.
- In Prisma SaaS, add Prisma Access as a gateway.
- Select.SettingsUnmanaged Device Access ControlSAML Proxy
- Select.GatewaysAdd Gateway GPCS
- Enter thePortal namefrom Prisma Access in theGPCS Gateway URLfield.
- Enter theAPI keyin theGPCS API Keyfield.
- In Panorama, set up SAML authentication.
- Select.DeviceServer ProfilesSAML Identity Provider
- Addan identity provider and give it aName.
- Add the following you retrieved from Prisma SaaS in Step 5:
- Identity Provider ID—Enter theIDP Entity IDfrom Prisma SaaS.
- Identity Provider Certificate—ImporttheIdentity Provider Certificateyou downloaded from Prisma SaaS.
- Identity Provider SSO URL—Enter theIDP SSO URLfrom Prisma SaaS.
- Identity Provider SLO URL—Enter theIDP SLO URLfrom Prisma SaaS.
- SAML HTTP Binding for SSO Requests to IDP—SelectRedirect.
- Add a SAML authentication profile, specifying the SAML identify profile you just created.
- Select.DeviceAuthentication Profile
- Adda new authentication profile.
- Select a type ofSAMLand select theIdP Server Profilethat you created.
- Be sure thatEnable Single Logoutis deselected.Single logout is not supported with this feature.
- Apply the authentication profile to the Prisma Access portal.
- Select theGlobalProtect_Portal.
- Adda client authentication profile, specifying theAuthentication Profileyou just created.
- Make sure that you have enabled Clientless VPN by clicking theClientless VPNtab and making sure that you have selectedClientless VPN.
- Enable SSO on the SaaS app for which you want to provide access.
- In the SaaS app, import theIdentity Provider Certificateyou downloaded from Prisma SaaS.
- Enter theIDP Entity ID,Identity Provider SSO URL,IDP SLO URL, and if applicable,IDP SOAP URLandAssertion Consumer Service URLyou copied from Prisma SaaS in Step 5.