Manage: Authentication
Focus
Focus
Strata Cloud Manager

Manage: Authentication

Table of Contents

Manage: Authentication

Learn to manage authentication services.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • NGFW, including those funded by Software NGFW Credits
Each of these licenses include access to Strata Cloud Manager:
→ The features and capabilities available to you in Strata Cloud Manager depend on which license(s) you are using.
To ensure that only legitimate users have access to your most protected resources, Prisma Access supports several authentication types, including support for SAML, TACACS+, RADIUS, LDAP, Kerberos, MFA, local database authentication, and SSO.
To set up your authentication policies, go to ManageConfigurationNGFW and Prisma AccessIdentity ServicesAuthentication.
Here are the services Prisma Access integrates with to provide authentication, and features to consider when you are planning your authentication set up:

Authentication Support

SAML
If your users access services and applications that are external to your network, you can use SAML to integrate Prisma Access with an identity provider (IdP) that controls access to both external and internal services and applications. SAML single sign-on (SSO) enables one login to access multiple applications, and is helpful in environments where each user accesses many applications and authenticating for each one would impede user productivity. In this case, SAML single sign-on (SSO) enables one login to access multiple applications. Likewise, SAML single logout (SLO) enables a user to end sessions for multiple applications by logging out of just one session. SSO works for mobile users who access applications through the GlobalProtect app or users at remote networks that access applications through the Authentication Portal. SLO is available to GlobalProtect app users.
You can't use SAML authentication profiles in authentication sequences.
TACACS+
Terminal Access Controller Access-Control System Plus (TACACS+) is a family of protocols that enable authentication and authorization through a centralized server. TACACS+ encrypts usernames and passwords, making it more secure than RADIUS, which encrypts only passwords. TACACS+ is also more reliable because it uses TCP, whereas RADIUS uses UDP.
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a broadly supported networking protocol that provides centralized authentication and authorization. You can also add a RADIUS server to Prisma Access to implement multi-factor authentication.
LDAP
Lightweight Directory Access Protocol (LDAP) is a standard protocol for accessing information directories. You can use LDAP to authenticate users who access applications or services through Authentication Portal.
Kerberos
Kerberos is an authentication protocol that enables a secure exchange of information between parties using unique keys (called tickets) to identify the parties. With Kerberos, you can authenticate users who access applications through the Authentication Portal. With Kerberos SSO enabled, the user needs to log in only for initial access to your network (such as logging in to Microsoft Windows). After this initial login, the user can access any browser-based service in the network without having to log in again until the SSO session expires.
To use Kerberos, you first need a a Kerberos account for Prisma Access that will authenticate users. An account is required to create a Kerberos keytab, which is a file that contains the principal name and hashed password of the firewall or Panorama. The SSO process requires the keytab.
Kerberos SSO is available only for services and applications that are internal to your Kerberos environment. To enable SSO for external services and applications, use SAML.
Cloud Identity Engine
The Cloud Identity Engine (CIE) provides both user identification and user authentication for mobile users in a Prisma Access—Explicit Proxy deployment. The Cloud Identity Engine integrates with the Explicit Proxy Authentication Cache Service (ACS) and uses SAML identity providers (IdPs) to provide authentication for Explicit Proxy mobile users.
MFA
Muti-factor authentication (MFA) gives you a way to implement multiple authentication challenges of different types (these are called factors) to protect your most sensitive services and applications. For example, you might want stronger authentication for key financial documents than for search engines.
Prisma Access has a built-in list of supported MFA vendors, that is automatically updated as new vendors are added:
Local Database Authentication
Create a database that runs locally on Prisma Access and contains user accounts (usernames and passwords or hashed passwords). This type of authentication is useful for creating user accounts that reuse the credentials of existing Unix accounts in cases where you know only the hashed passwords, not the plaintext passwords. For accounts that use plaintext passwords, you can also define password complexity and expiration settings. This authentication method is available to users who access services and applications through the Authentication Portal or the GlobalProtect app.

Authentication Feature Highlights

SSO
If you’re using SAML or Kerberos, you can implement single sign-on (SSO), which enables users to authenticate only once for access to multiple services and applications. SAML and Kerberos support SSO.
Authentication Portal
Redirect web requests that match an authentication rule to a Prisma Access login page where they’re prompted to authenticate. Prisma Access uses the information the user submits to this authentication portal to create or update IP address to user name mappings.
This is especially useful for remote networks, so that you continue to have monitor and enforce traffic based on a user (or group). When a user initiates web traffic (HTTP or HTTPS) that matches an authentication rule, Prisma Access prompts the user to authenticate through the authentication portal. Prisma Access creates or updates the IP address to username mapping based on the information the user submits to the portal. This ensures that you know exactly who at a remote network site is accessing your most sensitive applications and data.
Authentication Sequence
If you use multiple types of authentication for different purposes, you can set an authentication sequence to rank your profiles. Prisma Access checks each profile based on your ranking until one successfully authenticates the user.

How Authentication Works

After you’ve added your organization’s authentication services to Prisma Access (here's how), Prisma Access authenticates users at multiple points:
  • When they connect to Prisma Access
    Here's how to define how you’d like mobile users to authenticate to Prisma Access. You don’t need to define authentication settings for users at remote networks to connect to Prisma Access, as the remote network traffic is routed through secure VPN tunnels.
  • When user traffic meets your requirements for additional authentication
    Here's how to require users to authenticate (using one or multiple methods) to access enterprise applications and protected network resources.
When users generate web traffic that matches your authentication requirements, Prisma Access checks that the users are legitimate by prompting them to authenticate using one or more methods (factors), such as login and password, voice, SMS, push, or one-time password (OTP) authentication—the factors Prisma Access uses are all based on the authentication service and settings that you specify in your authentication profiles. For the first factor (login and password), users authenticate through the authentication portal.
For the other factors, users then authenticate through a multi-factor authentication login page.
After authenticating users, Prisma Access evaluates your security rules to determine whether to allow access to the application. Prisma Access logs all activity where users attempt to access applications, services, or resources that you’ve designated for secure access.