Microsoft Entra ID SAML Authentication for Mobile User Deployments
Where Can I Use This? | What Do I Need? |
This section describes integration procedures you perform to integrate Prisma Access with
the Cloud identity Engine and Microsoft Entra ID (formerly Azure Active Directory (Azure AD)).
The
Cloud Identity Engine provides both user
identification and user authentication for mobile user deployments. Using the Cloud
Identity Engine for user authentication and username-to-user group mapping allows you to
write security policy based on users and groups, not IP addresses, and helps secure your
assets by enforcing behavior-based security actions. By continually syncing the
information from your directories, the Cloud Identity Engine ensures that your user
information is accurate and up to date and policy enforcement continues based on the
mappings even if the SAML identity provider (IdP) is temporarily unavailable.
The Cloud Identity Engine has two components to provide authentication and enforcement of
user- and group-based policy:
The Cloud Authentication Service component allows you to authenticate mobile
users in a Prisma Access deployment. You configure a SAML identity IdP during
configuration of the Cloud Identity Engine to use with the Cloud Authentication
Service.
The Directory Sync component provides username-to-user group mapping for the
authenticated user. You can use this mapping to enforce user- and group-based
policy in Prisma Access.
Prerequisites
Before you begin, make sure that you have completed the following prerequisites: