Configure VPN Reverse Proxy for SaaS Security
You can use Prisma Access to control access
to your network from mobile users’ unsanctioned devices. This configuration
uses the Prisma SaaS feature of SAML redirection by proxy instead
of directly exposing the SaaS app or your network, removing all
possible vulnerabilities to data exfiltration and malware propagation.
Configuring this feature in Prisma SaaS and in Prisma Access allows
you to control unsanctioned and mobile user-owned device access
to your network and redirects device traffic to Prisma Access for
inspection without putting your network or data at risk.
This
feature requires the use of Prisma SaaS integrated with a Secure
Assertion Markup Language (SAML) provider.
The following
example uses Okta as the SAML provider. Palo Alto Networks has tested
this feature with Okta, ADFS, Azure AD, Ping One, and Shibboleth.
Note that Office 365 with Azure AD as the IdP is currently not supported.
To
configure this feature, complete the following task.
This
task describes in detail the Prisma Access-specific steps and provides
only summary steps for the Prisma SaaS and Okta part of the configuration. For
detailed steps to configure the app integration with Prisma SaaS
and Okta, see Add Unsanctioned Device Access
Control to Prisma SaaS in the Prisma SaaS Administrator’s Guide.
- Log in to Okta and create two apps:
- Create one app for Prisma SaaS.
- Create one app for the SaaS app that you want mobile users to access from their unsanctioned devices.
- You need the URL to direct users to sign in and use the app you created and you need the certificate to validate SAML signatures when using single sign-on (SSO).
- In Prisma SaaS, add Okta as an Identity Provider (IdP), using the URLs you received from Okta.
- Make a note of theGateway Settingsand download theIdentity Provider Certificatein Prisma SaaS.
- In Prisma SaaS, select .
- In theIdentity Provider Settingsarea, select .
- Download and save theIdentity Provider Certificate.
- Make a note of theIDP Entity ID.IDP SSO URL, andIDP SLO URL.
- ClickCancelafter you’re retrieved the configuration details.
- Log in to Panorama and make a note of the Prisma Access API key and portal name.
- API key—Select , click theService Setuptab in thePrisma Accessarea, then selectGenerate API Keyand make a note of theCurrent Key.If there is no key, clickGenerate New API Keyto create one.
- Portal name—Select and make a note of theHostnamethat is used for the Prisma Access portal.To configure the portal, configure Prisma Access for Users.
- In Prisma SaaS, add Prisma Access as a gateway.
- Select .
- Select .
- Enter thePortal namefrom Prisma Access in theGPCS Gateway URLfield.
- Enter theAPI keyin theGPCS API Keyfield.
- In Panorama, set up SAML authentication.
- Select .
- Addan identity provider and give it aName.
- Add the following you retrieved from Prisma SaaS in Step 5:
- Identity Provider ID—Enter theIDP Entity IDfrom Prisma SaaS.
- Identity Provider Certificate—ImporttheIdentity Provider Certificateyou downloaded from Prisma SaaS.
- Identity Provider SSO URL—Enter theIDP SSO URLfrom Prisma SaaS.
- Identity Provider SLO URL—Enter theIDP SLO URLfrom Prisma SaaS.
- SAML HTTP Binding for SSO Requests to IDP—SelectRedirect.
- Add a SAML authentication profile, specifying the SAML identify profile you just created.
- Select .
- Adda new authentication profile.
- Select a type ofSAMLand select theIdP Server Profilethat you created.
- Be sure thatEnable Single Logoutis deselected.Single logout is not supported with this feature.
- Apply the authentication profile to the Prisma Access portal.
- Select .
- Select theGlobalProtect_Portal.
- ClickAuthentication.
- Adda client authentication profile, specifying theAuthentication Profileyou just created.
- Make sure that you have enabled Clientless VPN by clicking theClientless VPNtab and making sure that you have selectedClientless VPN.
- Enable SSO on the SaaS app for which you want to provide access.
- In the SaaS app, import theIdentity Provider Certificateyou downloaded from Prisma SaaS.
- Enter theIDP Entity ID,Identity Provider SSO URL,IDP SLO URL, and if applicable,IDP SOAP URLandAssertion Consumer Service URLyou copied from Prisma SaaS in Step 5.
