Authorize User Group Mapping in Cloud Identity Engine for Dynamic Privilege Access

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Administration
Version
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Integrations
Incidents & Alerts
Release Notes
Version
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred

Enable Dynamic Privilege Access for Prisma Access Through Common Services

Enable the Access Agent

Authorize User Group Mapping in Cloud Identity Engine for Dynamic Privilege Access

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)	Prisma Access Minimum Required Prisma Access Version: 5.1 Role: Superuser

Before you begin, make sure that you have completed the following prerequisites:

Contact your Palo Alto Networks account representative to activate the Dynamic Privilege Access functionality.
Activate the Cloud Identity Engine and create your first tenant.
Set up the Cloud Identity Engine.

In this workflow, we have used Azure as the IdP. You can also use Okta as your IdP.

From Strata Cloud Manager, open the Cloud Identity Engine app associated with your tenant.
Add an Azure directory or an Okta directory as IdP for mobile users.
Download the SP Metadata in the Cloud Identity Engine app.
1. Go to AuthenticationAuthentication TypesAdd New Authentication Type.
2. Set Up a SAML 2.0 authentication type.
  Select Dynamic service provider metadata.
3. Download SP Metadata.
4. Log in to the Azure Portal and select Azure Active Directory.
  
  Make sure you complete all the necessary steps in the Azure portal.
  
  If you have more than one directory, Switch directory to select the directory you want to use with the Cloud Identity Engine.
5. Select Enterprise applications and click New application.
6. Search for Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service and create the Azure Active Directory (AD) single sign-on integration.
  
  Customize the app name if required while creating the application.
7. After the application loads, select Users and groups, then Add user/group to Assign them to this application.
  
  Select the users and groups you want to use the Azure IdP in the Cloud Identity Engine for authentication.
  
  Be sure to assign the account you're using so you can test the configuration when it's complete. You may need to refresh the page after adding accounts to successfully complete the test.
8. Set up single sign-on then select SAML.
9. Upload Metadata File by browsing to the metadata file that you downloaded from the Cloud Identity Engine app in step 3.c and click Add.
10. After the metadata uploads, enter your regional endpoint as the Sign-on URL using the following format: https://<RegionUrl>.paloaltonetworks.com/sp/acs (where <RegionUrl> is your regional endpoint).
  
  Alternatively, copy the reply URL to the sign on URL.
11. Save your configuration.
Configure conditional access policy to enable MFA on selected user groups.
1. Go to your application's OverviewConditional AccessCreate a policy.
2. Add a New Policy.
3. Enter a name for the policy.
4. In Users section, include Select users and groups and choose your project groups accordingly.
5. Verify the Target resources.
6. Select the Conditions that trigger the policy.
7. Grant access in Access Controls using Require multifactor authentication.
8. Enable the policy by toggling the selector to On, and Create the conditional access.
Add your IdP vendor as an authentication type.
1. Select Single sign-onSAML Certificates and copy the App Federation Metadata URL.
2. In the Cloud Identity Engine app, select AuthenticationAuthentication TypesAdd New Authentication Type.
3. Set Up a SAML 2.0 authentication type.
4. Under Configure your Identity Provider Profile, enter a Profile Name.
5. Select Azure as your IDP Vendor.
6. Select Get URL, paste the URL from step 5.a, and Get URL to get the metadata.
7. Enable Multi-factor Authentication is Enabled on the Identity Provider.
8. Test SAML Setup to verify the profile configuration.
9. Select the SAML attributes you want Prisma Access to use for authentication.
10. Enable Dynamic Privilege Access.
  Ensure to sync the directory you added in step 2 and the SAML app.
11. Submit the IdP profile.
Repeat steps from 3 to 5 to configure the SAML app for user groups that don't require MFA.

Don't enable MFA in step 5.g for user groups that don't require MFA.
Add an authentication profile for MFA user groups and non-MFA user groups.
1. Select AuthenticationAuthentication ProfilesAdd Authentication Profile.
2. Enter a PROFILE NAME.
3. Select an Authentication Mode.
4. Select the Authentication Type from step 5 or 6, based on the user groups requiring MFA, and Submit.
Add the authentication profile from Cloud Identity Engine to Prisma Access.
1. In Strata Cloud Manager, select ManageConfigurationNGFW and Prisma AccessIdentity ServicesAuthenticationAuthentication Profiles.
  
  Ensure to set the configuration scope to the Access Agent mobile users container.
2. Add Profile.
3. Select Cloud Identity Engine as your Authentication Method.
4. Enter a Profile Name.
5. Select the Profile you added in the Cloud Identity Engine app from step 7.
6. Save the changes.
Attach the authentication to mobile users.
1. Launch Prisma Access from your Strata Cloud Manager.
2. Select ManageConfigurationNGFW and Prisma Access.
3. Set the scope to the project snippet you created, and navigate to Security ServicesSecurity Policy.
4. Create a policy to allow traffic only from a particular project DHCP range and that project-based user group.