Configure Unsanctioned Device Access Control

Use Prisma SaaS as a SAML proxy between your existing Identity Provider and next generation firewall to control access to your sanctioned SaaS applications.
To control unmanaged and employee-owned device access to your sanctioned SaaS applications, add application integration on your Identity Provider (IdP) for Prisma SaaS and each SaaS application (or Service Provider) to authenticate SAML 2.0 access.
After you integrate the Identity Provider (IdP), Service Provider (SP), and Prisma SaaS, add your next generation firewall on Prisma SaaS. For visibility and control of unsanctioned devices, add a clientless VPN portal that you host or that resides in your Prisma Access infrastructure.
In the following example integration, Okta is the IdP and G Suite is the SP. Prisma SaaS supports additional combinations of IDPs and SPs.
You must be a Super Admin or Admin to configure SAML Proxy on Prisma SaaS.
What
Why
Use the worksheet provided to map values between the interfaces, streamlining your integration and avoiding misconfigurations.
Before you can integrate, you must enable Prisma SaaS to control unmanaged devices.
Create a Prisma SaaS application to integrate Prisma SaaS with the IdP, allowing the authentication of user requests to sanctioned SaaS applications from unmanaged devices.
Add the people and groups to which you want to grant access.
Configure the IdP on Prisma SaaS to authenticate access using SAML Proxy 2.0.
Create a SaaS app (SP) application to integrate the SP with the IdP, requiring authentication of user requests before granting access to SaaS application resources. An app integration for each SaaS application must be created on the IdP.
Add the people and groups to which you want to grant access.
Configure the SaaS application on Prisma SaaS to authenticate users and redirect traffic to your firewall. Each SaaS application you want to control access to must be configured on Prisma SaaS.
Configure the IdP on the SP to establish a trusted relationship to identify users, grant access, and authenticate a Prisma SaaS session to redirect the traffic through the next generation firewall.
Configure Prisma SaaS on your Clientless VPN to redirect the remote users’ authentication request and application traffic through the firewall.
Configure your NGFW with your SAML IdP, which is Prisma SaaS.
Configure the firewall portal settings on Prisma SaaS to create a trusted relationship between the firewall and Prisma SaaS. The portal settings can also be configured to use your domain, IP address, combination of domains or IP addresses, or Prisma Access.

Plan Your Integration

Your integration involves sharing information across Prisma SaaS, the IdP, and the SP. Additionally, you’ll also work with NGFW and Prisma Access. However, you’ll begin and end your integration with Prisma SaaS.
Throughout this integration, use the following worksheet to record the values needed for each product’s user interface. Each interface has a unique term for the same value.
Prisma SaaS
Okta (IdP)
G Suite (SP)
  • Transfer from Prisma SaaS to Okta:
(SP Config) IDP Entity ID
<yourDomainName>.samlproxy.com
Audience URI (SP Entity ID)
n/a
Assertion Consumer Service URL
https://<yourDomainName>.samlproxy.com/acs
Single sign on URL
  • Transfer from Okta to Prisma SaaS:
(IDP Config) IDP Entity ID
Identity Provider Issuer
http://www.okta.com/<uniqueID>
n/a
(IDP Config) SSO URL
Identity Provider Single Sign-On URL
https://<yourDomainName>.okta.com/app/<yourDomainName>_<yourAppName>/<uniqueID>/sso/saml
(SP Config) SSO URL
Sign-in page URL
https://<yourDomainName>.okta.com/app/google/<uniqueID>
Certificate
X.509 Certificate/Verification certificate
okta.cer
Rename .cert to .cer.
  • Add G Suite SSO to Prisma SaaS:
ACS URL
https://www.google.com/a/<yourDomainName>/acs
n/a
n/a
SP Entity ID
google.com/a/<yourDomainName>
  • Transfer from Prisma SaaS to G Suite:
IDP SSO URL
https://<yourDomainName>.samlproxy.com/sso
n/a
Sign-in page URL
IDP SOAP URL
https://<yourDomainName>.samlproxy.com/soap
Sign-out page URL
n/a
Change password URL
Leave blank or accept default
Identity Provider Certificate
prisma_saas.cer
Verification certification
Prisma SaaS
NGFW
Prisma Access
  • Transfer from Prisma SaaS to NGFW:
Identity Provider Certificate
prisma_saas.cer
Identity Provider Certificate
n/a
(SP Config) IDP Entity ID
<yourDomainName>.samlproxy.com
Identity Provider ID
IDP SLO URL
https://<yourDomainName>.samlproxy.com/slo
Idenity Provider SLO URL
IDP SSO URL
https://<yourDomainName>.samlproxy.com/sso
Identity Provider SSO URL
  • Transfer from Firewall to Prisma SaaS:
Domain/IP Address
Hostname/IP Address
<yourDomainName>
n/a
Entity ID
entityID
Located in Metadata file as outlined in Step 4 of Add Prisma SaaS SAML Proxy on NGFW.
If you have an AWS cloud environment, replace the
Entity ID
is your firewall’s external IP address or hostname.
Trusted Networks
Trusted Networks
  • Transfer from Prisma Access to Prisma SaaS:
Portal Name
n/a
Hostname
used for the Prisma Access portal.
Panorama
Cloud Services
Configuration
Mobile Users
GlobalProtect Cloud Service API Key
Current Key
Select
Panorama
Cloud Services
Configuration
, click the
Service Setup
tab in the
Prisma Access
area.

Enable Unmanaged Device Access Control

Before you can add the IdP and Service Provider, you must enable Prisma SaaS to control unmanaged devices. Then, Prisma SaaS displays the required IdP and SP settings.
  1. Log in to Prisma SaaS.
  2. Select
    Settings
    SAML Proxy
    , then toggle to enable
    Unmanaged Device Access Control Configuration
    .
    enable-saml.gif
  3. Select
    Identity Provider Settings
    Add Identity Provider
    .
  4. Scroll down to
    Configuration details to enter on your Service Provider
    .
  5. Record values for the following Prisma SaaS IdP settings in your planning worksheet and download the Prisma SaaS certificate (
    prism_saas.cer
    ):
    • IDP Entity ID
    • Assertion Consumer Service URL
    You’ll use the IdP information in the next step to create a Prisma SaaS app on your Identity Provider and the certificate later when you configure the Identity Provider on the Service Provider.
    unsanctioned-device-access-prisma-saas-add-idp.png
  6. Click
    Cancel
    as you’re not yet ready to create the Identity Provider on Prisma SaaS.

Create a Prisma SaaS App on the Identity Provider

Now that you’ve retrieved the IDP settings from Prisma SaaS, you’re ready to apply those settings to create a new application on your Identify Provider.
This application enables you to integrate Prisma SaaS with your Identity Provider to control access to SaaS applications on unmanaged devices on external networks using SAML 2.0 protocol.
  1. Log in to Okta.
  2. Select
    Applications
    Add Applications
    Create New App
    .
  3. Create the new app with a
    Web
    platform and
    SAML 2.0
    sign-on method, then
    Create
    .
    unsanctioned-device-access-idp-app-integration.png
  4. In
    General Settings
    , type an
    App name
    for Prisma SaaS.
  5. Click
    Next
    .
    unsanctioned-device-access-idp-app-settings.png
  6. Specify the following Okta SAML settings, using your planning worksheet:
    • Single sign on URL
    • Audience URI (SP Entity ID)
    saml-idp-settings-retrieve-map.png
  7. Accept all other defaults, then
    Next
    .
  8. Select
    I’m an Okta customer adding an internal app
    , then
    Finish
    .
    saml-customer-add-internal-app-okta.png
  9. Click
    View Setup Instructions
    .
    saml-view-setup-okta.png
  10. Record values for the following Okta IdP settings in your planning worksheet, then
    Download
    the Okta certificate.
    • Identity Provider Single Sign-On URL
    • Identity Provider Issuer
    You’ll use this information in the next step when add your Identity Provider on Prisma SaaS.
    saml-download-cert-okta.png
  11. Rename the Okta X.509 certificate from CERT extension to either CER or CRT file extension.
    saml-download-cert2-okta.png

Add People and Groups to Prisma SaaS App

On Okta, add the people and groups to which you want to grant access to Prisma SaaS. Although you can perform this action after the integration, it’s recommended that you do so now so that you don’t forget this important dependency.
  1. Log in to Okta.
  2. From the Prisma SaaS SAML app, select
    Assign
    Assign to
    to add and manage people or groups.
    unsanctioned-device-access-okta-prisma-saas-assign.png

Add the Identity Provider on Prisma SaaS

Now that you’ve created a Prisma SaaS application on your Idenity Provider and have the required IdP values and certificate from Okta, you’re ready to add the Identity Provider on Prisma SaaS.
  1. Log in to Prisma SaaS, and select
    Settings
    SAML Proxy
    Identity Provider Settings
    Add Identity Provider
    .
  2. Enter your IdP’s name in
    IDP Name
    .
  3. Click
    Choose File
    and upload the Okta certificate that you downloaded earlier.
  4. Specify values for the following Okta IdP settings, using your planning worksheet, then
    Save
    .
    • IDP Entity ID
    • SSO URL
      saml-add-oka-cert-prisma-map.png

Create the Service Provider App on the Identity Provider

Now that you’ve added the identity provider to Prisma SaaS, you’re ready to add the SaaS app (Service Provider app) on the IdP. When you add the SaaS application to your IdP, access is authenticated through the Prisma SaaS SAML proxy before redirecting traffic through the firewall.
You need the Identity Provider Sign-in URL to direct users to sign in and the certificate from the IdP to validate SAML signatures when using SSO. Each SaaS application must be configured on your Identity Provider to control unmanaged device access.
  1. Log in to Okta.
  2. Select
    Admin
    Applications
    Add Application
    G Suite
    Add
    .
  3. Enter
    Your Google Apps company domain
    accept all other default, then
    Next
    .
    unsanctioned-device-access-okta-gen-settings.png
  4. Select
    SAML 2.0
    Next
    View Setup Instructions
    .
    saml-view-saas-app-setup-okta.png
  5. Record the value for G Suite
    Sign-in page URL
    setting in your planning worksheet and download the Okta certificate.
    You will use this information in the next step when you add the Service Provider on Prisma SaaS.
    unsanctioned-device-access-okta-gsuite-sp.png

Add People and Groups to Service Provider App

On Okta, add the people and groups to which you want to grant access to G Suite. Although you can perform this action after the integration, it’s recommended that you do so now so that you don’t forget this important dependency.
  1. Log on to Okta.
  2. From the G Suite app, select
    Assign
    Assign to
    to add and manage people or groups.
    unsanctioned-device-access-okta-gsuite-assign.png

Add the Service Provider on Prisma SaaS

Now that you’ve created the Service Provider App on the Identity Provider, you’re ready to configure that SaaS app on Prisma SaaS to grant access and redirect traffic to the SaaS application through the firewall.
  1. Log in to Prisma SaaS.
  2. Select
    Settings
    SAML Proxy
    Add Service Provider
    .
  3. Enter a
    SP Name
    .
  4. Upload the Okta
    Verification certificate
    for G Suite.
  5. Specify the following, using your planning worksheet, and upload the Okta certificate to Prisma SaaS:
    • ACS URL
    • SP Entity ID
    • SSO URL
    saml-add-service-provider-prisma-saas-map.png
  6. (
    Optional
    ) Configure the
    SOAP Endpoint/ECP Endpoint
    .
    This setting enables communication in HTTP and its XML language as the mechanisms for information exchange. The endpoint is the URL where your service can be accessed by a client application.
  7. Add
    the Service Provider configuration on Prisma SaaS.

Configure the Identity Provider on the Service Provider

Now that you’ve added the Service Provider on Prisma SaaS, you’re ready configure the SaaS application to consume an assertion from the Identity Provider. This assertion grants the user access after being authenticated.
  1. Log in to the G Suite admin console.
  2. Click
    Security
    Set up single sign-on (SSO)
    .
    saml-sso-gsuite-security.png
  3. Select
    Setup SSO with third party identity provider
    .
  4. Specify the following, using your planning worksheet, and upload the Prisma SaaS certificate (
    prisma_saas.cer
    ), then
    Save
    :
    • Sign-in page URL
    • Sign-out page URL
  5. Leave
    Change password URL
    blank.
  6. Select
    Use a domain specific issuer
    .
    saml-gsuite-sso-config-prisma-map.png

Configure Clientless VPN

When you configure your Clientless VPN, Prisma SaaS intercepts the authentication request and redirects the application traffic through the clientless rewriter on the firewall.
  1. Retrieve the IdP settings from your planning worksheet.
  2. Using those IdP settings:

Add Prisma SaaS SAML Proxy on NGFW

Prisma SaaS is your SAML IdP, not Okta. When you add the SAML IdP on the firewall, you need to use the Prisma SaaS SAML Proxy values.
  1. Log in to NGFW.
  2. Import the Prisma SaaS certificate
    prisma_saas.cer
    .
    saml-add-proxy-cert-firewall.png
  3. Create the
    SAML Identity Provider Server Profile
    .
    • Link to the Prisma SaaS certificate you imported in Step 3.
    • Enter a
      Clock Skew
      of
      900
      .
    saml-create-saml-idp-profile-firewall.png
  4. Create the
    Authentication Profile
    .
    • Use the IdP settings from your planning worksheet.
    • Specify the
      SAML Identity Provider Server Profile
      that you created in Step 4.
    saml-create-auth-profile-firewall.png
  5. Retrieve the
    Entity ID
    automatically generated for Prisma SaaS SAML IdP.
    If you have an AWS cloud environment, replace the
    Entity ID
    is your firewall’s external IP address or hostname.
    You’ll add this value in Prisma SaaS later when you configure gateway settings on Prisma SaaS.
    1. Locate the
      SAML Identity Provider Server Profile
      that you created in Step 4.
    2. Click on the
      Metadata
      link to download and open the file.
    3. Locate and record the Entity ID one the line that begins
      entityID=
      .
    saml-download-entityID-firewall.png
  6. Create the
    Client Authentication
    , specifying the
    SAML Identity Provider Server Profile
    you created in Step 4.
    saml-create-client-auth-firewall.png
  7. Commit
    your changes.

Configure Gateway Settings on Prisma SaaS

Prisma SaaS uses the gateway settings to whitelist your trusted networks. Any sanctioned SaaS application traffic that originates from your trusted networks is not redirected to the clientless VPN portal on the firewall.
To secure all traffic that is not from a trusted network, Prisma SaaS creates a trust relationship between the clientless VPN (self-hosted or Prisma Access-hosted) and Prisma SaaS to offer a transparent experience when a user accesses a sanctioned SaaS application on an unmanaged device.
To whitelist IP addresses, you have two options with a clientless VPN gateway:
  • Self-hosted—specify a domain or IP address.
  • Prisma Access-hosted—provide the API key to fetch the IP addresses dynamically.
  1. Log in to Prisma SaaS.
  2. Select
    Settings
    SAML Proxy
    Gateway Settings
    Edit
    .
    saml-proxy-gateway-settings.png
  3. Choose one of the following, then
    Save
    .
    • Add Gateway using Domain
      —Enter the following using your planning worksheet:
      • Domain
        —Gateway portal’s domain name.
      • Entity ID
        —ID assigned to Prisma SaaS SAML IdP in GlobalProtect. You recorded this ID in Step 5 above when you added the Prisma SaaS SAML Proxy on your firewall.
      • Trusted Networks
        —Public IP address range of your trusted networks on GlobalProtect.
      saml-proxy-trusted-ips.png
    • Add Gateway using IP Address
      —Enter the following using your planning worksheet:
      • IP Address
        —Gateway portal’s IP address on GlobalProtect and in CIDR format.
      • (
        Optional
        )
        Entity ID
        —ID assigned to Prisma SaaS SAML IdP on GlobalProtect. You recorded this ID in Step 5 above when you added the Prisma SaaS SAML Proxy on your firewall.
      • Trusted Networks
        —Public IP address range of your trusted networks on GlobalProtect.
    • GPCS Gateway URL
      —If you use Prisma Access to control access to your network from mobile users’ unsanctioned devices, that configuration uses the Prisma SaaS feature of SAML redirection by proxy. Enter the following using your planning worksheet:
      • Portal name
        —in Prisma Access. To configure the portal, configure Prisma Access for Users.
      • GlobalProtect Cloud Service API Key
        —in Prisma Access. If there is no key, click
        Generate New API Key
        to create one.
        When using a clientless VPN Gateway hosted on Prisma Access, the trusted networks IP addresses are retrieved dynamically using the API.

Recommended For You