Configure VPN Reverse Proxy for SaaS Security
You can use Prisma Access to control access to your network from mobile users’ unsanctioned devices. This configuration uses the Aperture feature of SAML redirection by proxy instead of directly exposing the SaaS app or your network, removing all possible vulnerabilities to data exfiltration and malware propagation. Configuring this feature in Prisma SaaS (formerly Aperture) and in Prisma Access allows you to control unsanctioned and mobile user-owned device access to your network and redirects device traffic to Prisma Access for inspection without putting your network or data at risk.
This feature requires the use of Prisma SaaS integrated with a Secure Assertion Markup Language (SAML) provider.
The following example uses Okta as the SAML provider. Palo Alto Networks has tested this feature with Okta, ADFS, Azure AD, Ping One, and Shibboleth. Note that Office 365 with Azure AD as the IdP is currently not supported.
To configure this feature, complete the following task.
This task describes in detail the Prisma Access-specific steps and provides only summary steps for the Prisma SaaS and Okta part of the configuration. For detailed steps to configure the app integration with Prisma SaaS and Okta, see Add Unsanctioned Device Access Control to Prisma SaaS in the Prisma SaaS Administrator’s Guide.
- Log in to Okta and create two apps:
- Create one app for Prisma SaaS.
- Create one app for the SaaS app that you want mobile users to access from their unsanctioned devices.
- You need the URL to direct users to sign in and use the app you created and you need the certificate to validate SAML signatures when using single sign-on (SSO).
- In Prisma SaaS, add Okta as an Identity Provider (IdP), using the URLs you received from Okta.
- Make a note of theGateway Settingsand download theIdentity Provider Certificatein Prisma SaaS.
- In Prisma SaaS, select.SettingsUnmanaged Device Access ControlSAML Proxy
- In theIdentity Provider Settingsarea, select.ActionsEdit
- Download and save theIdentity Provider Certificate.
- Make a note of theIDP Entity ID.IDP SSO URL, andIDP SLO URL.
- ClickCancelafter you’re retrieved the configuration details.
- Log in to Panorama and make a note of the Prisma Access API key and portal name.
- API key—Select, click thePanoramaCloud ServicesConfigurationService Setuptab in thePrisma Accessarea, then selectGenerate API Keyand make a note of theCurrent Key.If there is no key, clickGenerate New API Keyto create one.
- Portal name—Selectand make a note of thePanoramaCloud ServicesConfigurationMobile UsersHostnamethat is used for the Prisma Access portal.To configure the portal, configure Prisma Access for Users.
- In Prisma SaaS, add Prisma Access as a gateway.
- Select.SettingsUnmanaged Device Access ControlSAML Proxy
- Select.GatewaysAdd Gateway GPCS
- Enter thePortal namefrom Prisma Access in theGPCS Gateway URLfield.
- Enter theAPI keyin theGPCS API Keyfield.
- In Panorama, set up SAML authentication.
- Select.DeviceServer ProfilesSAML Identity Provider
- Addan identity provider and give it aName.
- Add the following you retrieved from Prisma SaaS in Step 5:
- Identity Provider ID—Enter theIDP Entity IDfrom Prisma SaaS.
- Identity Provider Certificate—ImporttheIdentity Provider Certificateyou downloaded from Prisma SaaS.
- Identity Provider SSO URL—Enter theIDP SSO URLfrom Prisma SaaS.
- Identity Provider SLO URL—Enter theIDP SLO URLfrom Prisma SaaS.
- SAML HTTP Binding for SSO Requests to IDP—SelectRedirect.
- Add a SAML authentication profile, specifying the SAML identify profile you just created.
- Select.DeviceAuthentication Profile
- Adda new authentication profile.
- Select a type ofSAMLand select theIdP Server Profilethat you created.
- Be sure thatEnable Single Logoutis deselected.Single logout is not supported with this feature.
- Apply the authentication profile to the Prisma Access portal.
- Select theGlobalProtect_Portal.
- Adda client authentication profile, specifying theAuthentication Profileyou just created.
- Make sure that you have enabled Clientless VPN by clicking theClientless VPNtab and making sure that you have selectedClientless VPN.
- Enable SSO on the SaaS app for which you want to provide access.
- In the SaaS app, import theIdentity Provider Certificateyou downloaded from Prisma SaaS.
- Enter theIDP Entity ID,Identity Provider SSO URL,IDP SLO URL, and if applicable,IDP SOAP URLandAssertion Consumer Service URLyou copied from Prisma SaaS in Step 5.
Configure Unsanctioned Device Access Control
Use Prisma SaaS as a SAML proxy between your Identity Provider and next generation firewall to control access to your sanctioned SaaS applications. ...
Configure SAML Single Sign-On (SSO) Authentication
Set up SAML single sign-on authentication to use existing enterprise credentials to access Prisma SaaS. ...
Configure VPN Reverse Proxy for SaaS Security
Configure VPN Reverse Proxy for SaaS Security You can use GlobalProtect cloud service to control access to your network from mobile users’ unsanctioned devices. This ...
Add Unsanctioned Device Access Control to Prisma SaaS
Use the next generation firewall to control unsanctioned device access by configuring Prisma SaaS as a SAML proxy. ...
Set up SSO Integration on Prisma Cloud
To secure administrator access to Prisma Cloud, go to your identity provider's site to configure single sign-on and then configure Prisma Cloud for SSO. ...
Secure Cloud Apps
Use Prisma SaaS to have visibility into and control over how your users are accessing and sharing data across SaaS applications. ...
Authenticate Mobile Users
Authenticate Mobile Users This section describes integration procedures you perform to integrate Prisma Access with third-party authentication providers. This section only provides information for integration ...
Select an Authentication Method
Configure Google MFA or SAML SSO authentication to access Prisma SaaS. ...
Manage Prisma SaaS Administrators
Add Prisma SaaS administrators, manage authentication, create admin teams, and view activity on the Prisma SaaS dashboard. ...