Configure Unsanctioned Device Access Control

Use Prisma SaaS as a SAML proxy between your Identity Provider and next generation firewall to control access to your sanctioned SaaS applications.
To control unmanaged and employee-owned device access to your sanctioned SaaS applications, add application integration on your Identity Provider for Prisma SaaS and each application to authenticate SAML 2.0 access. Configure Prisma SaaS by adding your IDP SSO URL and configure each application with the same SSO URL for a transparent and seamless experience. Once your IDP, service providers and Prisma SaaS are configured, add your next generation firewall on Prisma SaaS. Prisma SaaS offers the flexibility of adding portal settings using your domain, IP address, a combination of domains and IP addresses, or your configured GlobalProtect Cloud Service to have visibility into unsanctioned device access.
You must be a Super Admin or Admin to configure SAML Proxy on Prisma SaaS.
This document details an example integration with Okta as the identity provider and G Suite as the service provider but you can configure Google IDP, Ping, Azure AD, and ADFS as the identity provider.
  1. Create a Prisma SaaS app on your Identity Provider.
    By creating an application integration for Prisma SaaS with your Identity Provider, you can control access to SaaS applications on unmanaged devices on external networks using SAML 2.0 protocol.
    1. Log in to your Okta organization using an account with administrative privileges.
      If you don’t have an Okta organization, you can create a free Okta developer edition organization.
    2. Create a new application integration by selecting
      Admin
      Add Applications
      Create New App
      SAML 2.0
      Create
      .
    3. Select
      SAML 2.0
      and
      Create
      the application integration.
      unsanctioned-device-access-idp-app-integration.png
    4. Enter an
      App name
      for Prisma SaaS.
    5. (Optional)
      Upload an image for the
      App logo
      and select
      App visibility
      .
    6. Click
      Next
      .
      unsanctioned-device-access-idp-app-settings.png
    7. Log in to Prisma SaaS, select
      Settings
      SAML Proxy
      , and enable the feature.
    8. Click
      Add Identity Provider
      to gather the IDP configuration details.
      unsanctioned-device-access-okta-create-app.png
    9. On the Okta SAML Settings screen, enter the Prisma SaaS
      Assertion Consumer Service URL
      for
      Single sign on URL
      .
    10. Enter the Prisma SaaS
      IDP Entity ID
      for
      Audience URI (SP Entity ID)
      .
    11. Configure the
      Default RelayState
      ,
      Name ID format
      , and
      Application username
      , and click
      Next
      .
      unsanctioned-device-access-okta-saml-settings.png
    12. Answer Okta Support questions and click
      Finish
      .
    13. Select
      Assignments
      Assign
      to add and manage people or groups.
      unsanctioned-device-access-okta-prisma-saas-assign.png
  2. Add your identity provider on Prisma SaaS.
    Configure the IDP on Prisma SaaS to authenticate the user before redirecting access through the firewall and to the SaaS application. Use the IDP SSO URL, Identity Provider Issuer and Certificate from Okta to configure the identity provider settings on Prisma SaaS.
    1. Log in to Okta, select
      Admin
      Applications
      and select your Prisma SaaS SAML 2.0 application.
    2. Select
      Sign On
      View Setup Instructions
      .
      unsanctioned-device-access-okta-setup.png
    3. Locate the Okta SSO URL, IDP Entity ID and download the certificate to configure Prisma SaaS.
      When downloading the Okta X.509 certificate, you must change the CERT extension to either CER or CRT file extension.
      unsanctioned-device-access-okta-prisma-saas-config.png
    4. Log in to Prisma SaaS, and select
      Settings
      SAML Proxy
      Add Identity Provider
      .
    5. Enter an
      IDP Name
      .
    6. Click
      Choose File
      and upload the Okta
      X.509 Certificate
      .
    7. For
      IDP Entity ID
      , enter the Okta
      Identity Provider Issuer
      .
    8. For
      SSO URL
      , enter the Okta
      Identity Provider Single Sign-On URL
      and
      Add
      the Identity Provider on Prisma SaaS.
      unsanctioned-device-access-prisma-saas-add-idp.png
  3. Create a Service Provider app on your Identity Provider.
    Configure the SSO URL on your IDP for your SaaS app and IDP when you add an application integration, providing a transparent experience. When you add the SaaS application to your IPD, access is authenticated through the Prisma SaaS SAML proxy before redirecting traffic through the firewall. You need the Identity Provider Sign-in URL to direct users to sign in and the certificate from the IDP to validate SAML signatures when using SSO. Each SaaS application must be configured on your Identity Provider to control unmanaged device access.
    1. Log in to Okta, select
      Admin
      Add Applications
      , and search for
      G Suite
      .
    2. Select G Suite and click
      Add
      .
    3. Enter an
      Application label
      .
    4. Enter
      Your Google Apps company domain
      and click
      Next
      .
      unsanctioned-device-access-okta-gen-settings.png
    5. Select
      SAML 2.0
      and click
      Done
      .
      unsanctioned-device-access-okta-gsuite.png
    6. Select
      Assignments
      Assign
      to add and manage people or groups.
      unsanctioned-device-access-okta-gsuite-assign.png
  4. Add the Service Provider on Prisma SaaS.
    Each SaaS application must be configured on Prisma SaaS to grant access using the same IDP SSO URL and redirect traffic to the SaaS application through the firewall. You need the Okta Single Sign-on URL and Verification Certificate for the SaaS application, and the Entity ID and ACS URL from Prisma SaaS to configure the SaaS application on Prisma SaaS.
    1. Log in to Okta, select
      Admin
      Applications
      and select your G Suite application to gather the SaaS details.
    2. Select
      SAML 2.0
      and click
      View Setup Instructions
      .
      unsanctioned-device-access-okta-setup.png
    3. Locate the Single Sign-On Screen information for G Suite, download the verification certificate and copy the
      Sign-in page URL
      .
      unsanctioned-device-access-okta-gsuite-sp.png
    4. On Okta, click
      Applications
      , and select the Prisma SaaS SAML 2.0 application.
    5. Click
      Sign On
      View Setup Instructions
    6. Log in to Prisma SaaS, select
      Settings
      SAML Proxy
      Identity Provider Settings
      Edit
      to locate the
      ACS URL
      , and
      SP Entity ID
      .
      unsanctioned-device-access-okta-create-app.png
    7. On Prisma SaaS, select
      Settings
      SAML Proxy
      Add Service Provider
      .
    8. Enter a
      SP Name
      .
    9. Upload the Okta
      Verification Certificate
      to Prisma SaaS.
    10. For the
      ACS URL,
      enter the Prisma SaaS
      Assertion Consumer Service URL
      .
    11. For the
      SP Entity ID
      , enter the Prisma SaaS
      IDP Entity ID
      .
    12. For the
      SSO URL
      , enter the Okta
      Sign-in page URL
      .
    13. (Optional)
      Configure the
      SOAP Endpoint/ECP Endpoint
      on Prisma SaaS to enable communication in HTTP and its XML language as the mechanisms for information exchange. The endpoint is URL where your service can be accessed by a client application.
    14. Add
      the Service Provider configuration on Prisma SaaS.
      prisma-saas-add-sp.png
  5. Configure the Identity Provider on the Service Provider.
    Configure the SaaS application to consume an assertion from the Identity Provider to grant the user access after being authenticated.
    1. Log in to Okta, select
      Admin
      Applications
      and select your G Suite application.
    2. Select
      SAML 2.0
      and click
      View Setup Instructions
      .
    3. Locate the
      Single Sign-On Screen section
      .
    4. Log in to the G Suite admin console.
    5. Click
      Security
      Set up single sign-on (SSO)
      and select
      Setup SSO with third party identity provider
      .
    6. Enter the setup SSO information from Okta, upload the Verification certificate, and click
      Save
      .
      g-suite-okta-sso-configuration.png
  6. Log in to Prisma SaaS and select
    Settings
    SAML Proxy
    Identity Provider Settings
    Edit
    to locate the details required to Configure Your Clientless VPN.
    When you configure your Clientless VPN, Prisma SaaS will intercept the authentication request and redirect the application traffic through the clientless rewriter on the firewall.
    prisma-saas-idp-configuration-details.png
  7. Configure your firewall Gateway Settings on Prisma SaaS.
    The portal configuration on Prisma SaaS creates a trusted relationship between the firewall and Prisma SaaS to offer a transparent experience when a user accesses a sanctioned SaaS application on an unmanaged device. The Gateway settings can be configured using your domain, IP addresses, a combination of domains and IP addresses or a configured GlobalProtect Cloud Service.
    1. Log in to Prisma SaaS, select
      Settings
      SAML Proxy
      Gateway Settings
      Edit
      to add your gateway settings.
      saml-proxy-gateway-settings.png
      • Select
        Add Gateway using Domain
        to enter your
        Domain
        URL and
        Entity ID
        .
      • Select
        Add Gateway using IP Address
        to enter the IP address and
        (Optional)
        Entity ID
        .
      • Select Add Gateway using GlobalProtect Cloud Service to enter your
        GlobalProtect Cloud Service Gateway URL
        and
        GlobalProtect Cloud Service API Key
        .
    2. Enter the IP addresses of your
      Trusted Networks
      and
      Save
      your firewall portal settings.
      saml-proxy-trusted-ips.png

Related Documentation