Cloud Identity Engine Authentication for Explicit Proxy Deployments (Strata Cloud Manager)

1. In Prisma Access (Managed by Strata Cloud Manager), set up Explicit Proxy for your tenant.

   Before you configure Explicit Proxy, be aware of how explicit proxy works and the guidelines to use when you configure it.

   If you have multiple tenants, configure Explicit Proxy for each of your tenants that require it.
2. Log in to the hub and, from the Cloud Identity Engine app, set up an authentication type and authentication provider.

   You can view apps in the hub by tenant or by support account.

   1. Configure a SAML authentication type in the Cloud Identity Engine.

      The Cloud Identity Engine Getting Started guide has the procedures you need to configure a SAML IdP in the Cloud Identity Engine:

      • Configure Azure as an IdP in the Cloud Identity Engine
      • Configure Okta as an IdP in the Cloud Identity Engine
      • Configure PingOne as an IdP in the Cloud Identity Engine
      • Configure PingFederate as an IdP in the Cloud Identity Engine
      • Configure Google as an IdP in the Cloud Identity Engine

      Do not configure single logout, it is not supported.
   2. Set up an authentication profile in the Cloud Identity Engine and select the users and groups that can use this authentication method.

      You specify this profile when you create an authentication profile in Prisma Access (Managed by Strata Cloud Manager) in a later step.
3. Return to Prisma Access (Managed by Strata Cloud Manager) and create an authentication profile to use with the Cloud Authentication Engine.

   1. Go to ManageConfigurationIdentity ServicesAuthentication, set the scope to Explicit Proxy, and add an authentication profile (Add Profile).

      If you're using Strata Cloud Manager, go to ManageConfigurationNGFW and Prisma AccessIdentity ServicesAuthentication. Set the configuration scope to Explicit Proxy, and add an authentication profile (Add Profile)

   2. Select an Authentication Method of Cloud Identity Engine.
   3. Give the profile a Profile Name.
   4. Select the Cloud Identity Engine Authentication Profile you created in a previous step.

   5. Save your changes.
4. Set up user authentication in Explicit Proxy.

   1. Go to ManageService SetupExplicit Proxy and Set Up User Authentication.

      If you're using Strata Cloud Manager, go to WorkflowsPrisma Access SetupExplicit Proxy and Set Up User Authentication.

   2. Select an Authentication Method of SAML/CIE.
   3. Select the authentication profile you created in Cloud Managed Prisma Access.
   4. Specify a Cookie Lifetime for the cookie that stores the users’ authentication credentials.

      After the IdP authenticates the user, Prisma Access stores the authentication state of the user in the Authentication Cache Service (ACS). The validity period of the authentication is based on the Cookie Lifetime value you specify here.

      To prevent issues with users not being able to download large files before the cookie lifetime expires, or the cookie expiring when users are accessing a single website for a long period of time, Palo Alto Networks recommends that you configure a Cookie Lifetime of at least one day. If Explicit Proxy users have a cookie lifetime expiration issue, they can browse to a different website to re-authenticate to ACS and refresh the ACS cookie.

   5. Save your changes.
5. Verify that the Cloud Identity Engine is successfully authenticating your Explicit Proxy mobile users.

   1. From Prisma Access (Managed by Strata Cloud Manager), select ActivityLog ViewerFirewall/Authentication.

      If you're using Strata Cloud Manager, go to Incidents & AlertsLog ViewerFirewall/Authentication.
   2. View the Auth Event status.

      If the authentication fails, view the Authentication Description for more details about the failure.

   3. From the mobile user’s endpoint, use dev tools to view the Cloud Identity Engine authentication flow.