Configure Mobile Users without Cloud Identity Engine (Strata Cloud Manager)
Focus
Focus
Prisma Access

Configure Mobile Users without Cloud Identity Engine (Strata Cloud Manager)

Table of Contents


Configure Mobile Users without Cloud Identity Engine (Strata Cloud Manager)

This procedure assumes that you have a Microsoft Entra ID (formerly Azure Active Directory (Azure AD)) account, can create and modify enterprise applications, can set up a SAML Service Provider in Microsoft Entra ID, and can download SAML metadata XML files in Azure.
  1. Log in to Microsoft Entra ID and open the enterprise application for either GlobalProtect or Explicit Proxy, depending on the deployment type.
    GlobalProtect has its own app in Microsoft Entra ID; for Explicit Proxy, Palo Alto Networks does not have an existing enterprise application for Explicit Proxy and you must create one.
    Palo Alto Networks does not control your Microsoft Entra ID setup and the UI might be different than these examples. For more information, refer to the Microsoft Azure documentation.
    • GlobalProtect Deployments—Select HomeEnterprise Applications; then, search for Palo Alto Networks - GlobalProtect and select the Palo Alto Networks - GlobalProtect application. Rename the application if required.
    • Explicit Proxy Deployments—Select HomeEnterprise Applications and create a New application; then, select Create your own application, give it a Name, select Integrate any other application you don’t find in the gallery, and Create it.
      After you create the application, select it.
  2. Set up the Microsoft Entra ID application.
    1. Assign Users and groups and Add user/group that require the Microsoft Entra ID authentication.
      Alternatively, you can select Users and groups from the left navigation pane to Add user/group.
    2. Select Set up single sign on from the button or select Single sign on from the left navigation pane.
    3. In the Basic SAML Configuration area, click Edit.
    4. Enter the parameters for your Explicit Proxy or GlobalProtect deployment.
      • Mobile Users—GlobalProtect Deployments—Enter the following parameters:
        • In the Identifier (Entity ID) area, enter a URL of https://portal-name:443/SAML20/SP, where portal-name is the Mobile Users—GlobalProtect portal name (in Prisma Access select ManageService SetupGlobalProtect), and select that as the Default entity ID.
          In addition, enter all gateway names in the format of https://gateway-name:443/SAML20/SP.
          If you are configuring a standalone GlobalProtect deployment, you can use either the FQDN or IP address of the GlobalProtect portal as the portal-name.
        • In the Reply URL (Assertion Consumer Service URL), re-enter the portal and gateway names, appending ACS to the URL names (https://portal-name:443/SAML20/SP/ACS and https://gateway-name:443/SAML20/SP/ACS, respectively). Specify the portal name as the default.
      • Explicit Proxy Deployments—Enter the following parameters:
        • In the Identifier (Entity ID) area, enter an Entity ID of https://ACS URL/saml/metadata, where the ACS URL is explicit proxy mobile users name (in Prisma Access, select ManageService SetupExplicit Proxy) and select that as the Default identifier.
        • In the Reply URL (Assertion Consumer Service URL), enter a SAML Assertion Consumer Service URL of https://global.acs.prismaaccess.com/saml/acs and select that as the Default entity ID.
        • Use https://global.acs.prismaaccess.com/saml/acs as the Sign on URL.
    5. In the Set Up Single Sign-On with SAML pane, select Edit in the User Attributes & Claims area.
    6. Enter the following values:
      • Enter user.userprincipalname as the Unique User Identifier (Name ID).
      • In the Additional Claims area, add a Claim Name of username and a Value of user.userprincipalname.
        You must add this claim to ensure correct username-to-IP address mapping for authenticated users.
  3. Export the metadata XML file from Microsoft Entra ID and save it to a client system from which you can upload it to Prisma Access by clicking Download in the Federation Metadata XML area.
    Prisma Access requires this XML file to retrieve the correct SAML attributes from Microsoft Entra ID. You upload the file when you create the SAML IdP profile in Prisma Access.
  4. (For GlobalProtect mobile users only) In Prisma Access, configure an authentication profile for Microsoft Entra ID.
    The profile defines authentication settings that are common to a set of users.
    1. Select ManageConfigurationIdentity ServicesAuthenticationAuthentication Profiles.
      Make sure that you are creating the authentication profile for GlobalProtect or explicit proxy mobile users.
    2. Add Profile.
    3. Select the SAML authentication method.
    4. Enter a profile name and Import MetaData that you downloaded in step 3.
      When you import the metadata, it fills other fields. Save this authentication profile.
  5. Attach the authentication profile to the mobile users.
    The profile defines authentication settings that are common to a set of users.
    • For GlobalProtect mobile users
    1. Select ManageService SetupGlobalProtect and Add Authentication.
    2. Enter values.
      Make sure you select the SAML authentication method and profile you created in step 4.
    3. Save the authentication.
    4. Move the authentication to the top to prioritize it.
    • For explicit proxy mobile users
    1. Select ManageService SetupExplicit Proxy.
    2. Edit the User Authentication settings.
    3. Import Metadata.
    4. Choose file that you downloaded in step 3.
    5. Import.
    6. Enter a name and Save.
  6. Push your changes.
  7. Commit and Push your changes.
  8. Verify that SAML authentication is working.
    1. From a mobile user’s endpoint, authenticate from a supported browser.
      • GlobalProtect Deployments—Open the GlobalProtect app to find the GlobalProtect Portal; then, enter the portal URL in a supported browser.
      • Explicit Proxy Deployments—Navigate from a supported browser to a website that is protected by Explicit Proxy.
    2. When you are challenged for authentication, verify that you are redirected to Microsoft Entra ID and are presented with a login page.
      After you successfully authenticate to Microsoft Entra ID, Microsoft Entra ID redirects you to Prisma Access. Prisma Access then validates the SAML responses from Microsoft Entra ID and the mobile user should be allowed to visit the website (for Explicit Proxy deployments) or you can successfully log in to the GlobalProtect portal (for GlobalProtect deployments).
    3. View the logs and verify that the mobile user’s username is displayed in the Traffic, URL Filtering, and Authentication logs.