The following section shows the workflow when
mobile users are secured by Prisma Access using an Explicit Proxy
as the connection method. Before you start, you need to have configured Prisma
Access Explicit Proxy.
The traffic takes the following
path. Callouts in the figure show the process.
The mobile user browses the Internet or accesses
the SaaS application by entering the URL or IP address using a web browser.
The browser on the mobile users’ endpoint checks for
the PAC file.
This PAC file specifies that the URL or SaaS request should
be forwarded to Prisma Access Explicit Proxy.
The HTTPS client (the browser on the mobile user’s endpoint)
forwards the URL request to the proxy URL.
The traffic is redirected to Explicit Proxy, and the
proxy decrypts the traffic.
The proxy inspects the traffic and checks for the authentication
cookie set up by the Prisma Access Explicit Proxy.
The cookie contains information that identifies the mobile
user, and uses the cookie to authenticate the user.
If, upon inspection of the cookie, Prisma Access determines
that the user has not been authenticated, it redirects the user
for authentication.
After the IdP authenticates the user, Prisma Access stores
the authentication state of the user in the Authentication Cache
Service (ACS). The validity period of the authentication is based
on the Cookie Lifetime value you specify
during Explicit Proxy configuration.
The Explicit Proxy checks for the presence and validity
of our cookie. If the cookie is not present or is invalid, the user
is redirected to ACS. After ACS confirms the authentication of the
user, the user is redirected back to Explicit Proxy with a token.
The proxy then validates that token and sets the cookie for that
domain for that user.
Prisma Access applies security enforcement based on the
security policy rules that the administrator has configured.
If the URL is not blocked by security policy rules, Prisma
Access sends the URL request to the internet.