Configure VPN Reverse Proxy for SaaS Security

You can use Prisma Access to control access to your network from mobile users’ unsanctioned devices. This configuration uses the Aperture feature of SAML redirection by proxy instead of directly exposing the SaaS app or your network, removing all possible vulnerabilities to data exfiltration and malware propagation. Configuring this feature in Prisma SaaS (formerly Aperture) and in Prisma Access allows you to control unsanctioned and mobile user-owned device access to your network and redirects device traffic to Prisma Access for inspection without putting your network or data at risk.
This feature requires the use of Prisma SaaS integrated with a Secure Assertion Markup Language (SAML) provider.
The following example uses Okta as the SAML provider. Palo Alto Networks has tested this feature with Okta, ADFS, Azure AD, Ping One, and Shibboleth. Note that Office 365 with Azure AD as the IdP is currently not supported.
To configure this feature, complete the following task.
This task describes in detail the Prisma Access-specific steps and provides only summary steps for the Prisma SaaS and Okta part of the configuration. For detailed steps to configure the app integration with Prisma SaaS and Okta, see Add Unsanctioned Device Access Control to Prisma SaaS in the Prisma SaaS Administrator’s Guide.
  1. Log in to Okta and create two apps:
    • Create one app for Prisma SaaS.
    • Create one app for the SaaS app that you want mobile users to access from their unsanctioned devices.
  2. You need the URL to direct users to sign in and use the app you created and you need the certificate to validate SAML signatures when using single sign-on (SSO).
  3. In Prisma SaaS, add Okta as an Identity Provider (IdP), using the URLs you received from Okta.
  4. Make a note of the
    Gateway Settings
    and download the
    Identity Provider Certificate
    in Prisma SaaS.
    1. In Prisma SaaS, select
      Settings
      Unmanaged Device Access Control
      SAML Proxy
      .
    2. In the
      Identity Provider Settings
      area, select
      Actions
      Edit
      .
    3. Download and save the
      Identity Provider Certificate
      .
    4. Make a note of the
      IDP Entity ID
      .
      IDP SSO URL
      , and
      IDP SLO URL
      .
      You use these fields when you configure SAML Authentication in Panorama in Step 8.
      Also make a note of the
      IDP SOAP URL
      and
      Assertion Consumer Service URL
      fields; you might need those fields when you configure SAML in the SaaS app for which you want to provide access in Step 12.
      saml-aperture-config-details.png
    5. Click
      Cancel
      after you’re retrieved the configuration details.
  5. Log in to Panorama and make a note of the Prisma Access API key and portal name.
    • API key
      —Select
      Panorama
      Cloud Services
      Configuration
      , click the
      Service Setup
      tab in the
      Prisma Access
      area, then select
      Generate API Key
      and make a note of the
      Current Key
      .
      If there is no key, click
      Generate New API Key
      to create one.
      generate-api-key.png
    • Portal name
      —Select
      Panorama
      Cloud Services
      Configuration
      Mobile Users
      and make a note of the
      Hostname
      that is used for the Prisma Access portal.
      To configure the portal, configure Prisma Access for Users.
  6. In Prisma SaaS, add Prisma Access as a gateway.
    1. Select
      Settings
      Unmanaged Device Access Control
      SAML Proxy
      .
    2. Select
      Gateways
      Add Gateway GPCS
      .
    3. Enter the
      Portal name
      from Prisma Access in the
      GPCS Gateway URL
      field.
    4. Enter the
      API key
      in the
      GPCS API Key
      field.
    1. Select
      Device
      Server Profiles
      SAML Identity Provider
      .
    2. Add
      an identity provider and give it a
      Name
      .
    3. Add the following you retrieved from Prisma SaaS in Step 5:
      • Identity Provider ID
        —Enter the
        IDP Entity ID
        from Prisma SaaS.
      • Identity Provider Certificate
        Import
        the
        Identity Provider Certificate
        you downloaded from Prisma SaaS.
        saml-aperture-import-certificate.png
      • Identity Provider SSO URL
        —Enter the
        IDP SSO URL
        from Prisma SaaS.
      • Identity Provider SLO URL
        —Enter the
        IDP SLO URL
        from Prisma SaaS.
      • SAML HTTP Binding for SSO Requests to IDP
        —Select
        Redirect
        .
      saml-identity-provider-okta-ssl.png
  7. Add a SAML authentication profile, specifying the SAML identify profile you just created.
    1. Select
      Device
      Authentication Profile
      .
    2. Add
      a new authentication profile.
    3. Select a type of
      SAML
      and select the
      IdP Server Profile
      that you created.
    4. Be sure that
      Enable Single Logout
      is deselected.
      Single logout is not supported with this feature.
      saml-auth-profile-proxy.png
  8. Apply the authentication profile to the Prisma Access portal.
    1. Select
      Network
      GlobalProtect
      Portals
      .
    2. Select the
      GlobalProtect_Portal
      .
    3. Click
      Authentication
      .
    4. Add
      a client authentication profile, specifying the
      Authentication Profile
      you just created.
      saml-auth-proxy-specify-auth-profile.png
  9. Make sure that you have enabled Clientless VPN by clicking the
    Clientless VPN
    tab and making sure that you have selected
    Clientless VPN
    .
    clientless-vpn-enable.png
  10. Enable SSO on the SaaS app for which you want to provide access.
    1. In the SaaS app, import the
      Identity Provider Certificate
      you downloaded from Prisma SaaS.
    2. Enter the
      IDP Entity ID
      ,
      Identity Provider SSO URL
      ,
      IDP SLO URL
      , and if applicable,
      IDP SOAP URL
      and
      Assertion Consumer Service URL
      you copied from Prisma SaaS in Step 5.

Related Documentation