>
    Set Up Cloud Identity Engine Authentication
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect User Authentication
    4. Set Up Cloud Identity Engine Authentication
    Download PDF
    GlobalProtect

    Set Up Cloud Identity Engine Authentication

    Table of Contents

    Set Up Cloud Identity Engine Authentication

    Cloud Identity Engine authentication for GlobalProtect.
    Where Can I Use This?What Do I Need?
    • NGFW (managed by Panorama and Strata Cloud Manager)
    • Prisma Access (managed by Panorama and Strata Cloud Manager)
    • GlobalProtect endpoints running on Windows and macOS
    • GlobalProtect app 6.2.6 and later 6.2.x releases for Cloud Identity Engine OIDC authentication
    • GlobalProtect app 6.3.0 and later for Cloud Identity Engine SAML and client certificate authentication
    • GlobalProtect 6.3.1 and later for Cloud Identity Engine multi-authentication SSO hub skip feature
    • PAN-OS 10.2 and later for Cloud Identity Engine authentication
    Cloud Identity Engine supports the following authentication methods for GlobalProtect:
    • SAML
    • Client Certificate
    • OIDC
    1. Set Up an Authentication Profile.
    2. In your environment, navigate to the Add Authentication screen for GlobalProtect.
    3. Select Cloud Identity Engine as the authentication method and the profile you created in step 1.
    4. Follow the on-screen prompts to set up the desired Cloud Identity authentication.

    Cloud Identity Engine SAML Authentication with Embedded Web-View

    The system browser is the default browser for Cloud Identity Engine SAML Authentication. Follow the steps below to use the embedded web-view:
    1. Disable the Use Default Browser for SAML Authentication option in the app settings of the portal configuration.
      1. Select NetworkGlobalProtectPortals<portal-config>Agent<agent-config>App.
      2. In the App Configurations area, set Use Default Browser for SAML Authentication option to No to enable the GlobalProtect app to open the embedded browser for CIE authentication. After you set the option as No and when the GlobalProtect app tries to reconnect, the app prompts the end users to reauthenticate using CIE as the authentication method.
    2. Set the browser option in the Client Authentication settings of the portal configuration.
      1. Select NetworkGlobalProtectPortals<portal-config>Authentication<client-authentication-config> .
      2. Uncheck the Use default browser option in the Client Authentication window to use the embedded browser for CIE authentication.
    3. Click OK.
    4. Commit the configuration.

    Cloud Identity Engine Multi-Authentication

    You can create an authentication profile that redirects users to the authentication type (either a client certificate or a SAML 2.0-compliant identity provider) you configure for authentication. For more information, see Configure Cloud Identity Engine Authentication on the Firewall or Panorama.
    With Cloud Identity Engine multi-authentication, you can enable the end user to bypass the SSO hub page (which prompts the user for their SAML username) on Windows endpoints by pre-deploying the following registry key:
    CASSKIPHUBPAGE using the following syntax:
    msiexec.exe /i globalprotect64.msi CASSKIPHUBPAGE=yes
    The registry key is displayed in the Windows registry path \HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings.
    This feature is supported on the default browser and embedded web-view for the following actions:
    • User unlocks the device
    • Device wakes up from sleep mode
    • After a system reboot
    For the GlobalProtect app with Connect Before Logon (CBL) installed on Windows endpoints, you must use the default browser for Cloud Identity Engine SAML authentication.
    Before enabling this feature, ensure the following:
    • Username is configured in UPN format in CIE or the Windows endpoints are joined to Azure domain (AAD or Active Directory).
    • The cloud identity engine is configured without the Force authentication option in the authentication profile.
    • IDP/SAML session is active.

    © 2025 Palo Alto Networks, Inc. All rights reserved.