Manage: Authentication Profiles
Focus
Focus
Strata Cloud Manager

Manage: Authentication Profiles

Table of Contents

Manage: Authentication Profiles

Learn to configure the types of Authentication Profiles.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • NGFW, including those funded by Software NGFW Credits
Each of these licenses include access to Strata Cloud Manager:
→ The features and capabilities available to you in Strata Cloud Manager depend on which license(s) you are using.
An authentication profile defines the authentication service that validates the login credentials of administrators who access the firewall web interface and end users who access applications through Captive Portal or GlobalProtect. The authentication profile also defines options such as single sign-on (SSO).

Kerberos

Learn to configure Kerberos authentication Profiles.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • NGFW, including those funded by Software NGFW Credits
Each of these licenses include access to Strata Cloud Manager:
→ The features and capabilities available to you in Strata Cloud Manager depend on which license(s) you are using.
Kerberos is a computer network authentication protocol that uses tickets to allow nodes that communicate over a non-secure network to provide their identity to one another in a secure manner.
The authentication profile specifies the server profile that the portal or gateways use when they authenticate users. Follow these steps to set up Kerberos authentication profile for Explicit Proxy mobile users to connect to Prisma Access, for administrators to connect to the firewall web interface, and for end users to log in to the Authentication Portal.
  1. Go to ManageConfigurationIdentity ServicesAuthenticationAuthentication Profiles and Add Profile.
  2. Select the Authentication Method: Kerberos.
  3. Enter the Profile Name to identify the server profile. The authentication profile specifies the server profile that the portal or gateways use when they authenticate users.
  4. Enter the Kerberos Realm (up to 127 characters) to specify the hostname portion of the user login name. For example, the user account name user@EXAMPLE.LOCAL has the realm EXAMPLE.LOCAL.
  5. Import a Kerberos Keytab file which contains the Kerberos account information. When prompted, browse for the keytab file, and then click Save. During authentication, the endpoint first attempts to establish SSO using the keytab.
  6. Choose the Kerberos Keytab.
  7. Click Save.

Cloud Identity Engine

Learn to configure Cloud Identity Engine authentication profiles.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • NGFW, including those funded by Software NGFW Credits
Each of these licenses include access to Strata Cloud Manager:
→ The features and capabilities available to you in Strata Cloud Manager depend on which license(s) you are using.
The Cloud Identity Engine (CIE) is used for identifying and authenticating users in firewall web interfaces and mobile users in a Prisma Access Explicit Proxy deployment. In Prisma Access, the Cloud Identity Engine integrates with the Explicit Proxy Authentication Cache Service (ACS) and uses SAML identity providers (IdPs) to provide authentication for Explicit Proxy mobile users.
To authenticate users using Cloud Identity Engine, you must configure an authentication profile.
The SAML/CIE authentication method is displayed only if the Cloud Authentication Service (CAS) is enabled. If the CIE authentication or CAS is not supported on your Prisma Access tenant, then it shows only the SAML authentication method.
Before you begin:
  1. Go to ManageConfigurationIdentity ServicesAuthentication, set the configuration scope to Explicit Proxy and Add Profile under Authentication Profiles.
  2. Select the Authentication Method: Cloud Identity Engine.
  3. Enter a unique Profile Name.
  4. Select the Cloud Identity Engine authentication Profile you configured in the Cloud Identity Engine.
  5. Save your changes.