Microsoft Entra ID SAML Authentication for Mobile User Deployments
Focus
Focus
Prisma Access

Microsoft Entra ID SAML Authentication for Mobile User Deployments

Table of Contents

Microsoft Entra ID SAML Authentication for Mobile User Deployments

Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
This section describes integration procedures you perform to integrate Prisma Access with the Cloud identity Engine and Microsoft Entra ID (formerly Azure Active Directory (Azure AD)).
The Cloud Identity Engine provides both user identification and user authentication for mobile user deployments. Using the Cloud Identity Engine for user authentication and username-to-user group mapping allows you to write security policy based on users and groups, not IP addresses, and helps secure your assets by enforcing behavior-based security actions. By continually syncing the information from your directories, the Cloud Identity Engine ensures that your user information is accurate and up to date and policy enforcement continues based on the mappings even if the SAML identity provider (IdP) is temporarily unavailable.
The Cloud Identity Engine has two components to provide authentication and enforcement of user- and group-based policy:
  • The Cloud Authentication Service component allows you to authenticate mobile users in a Prisma Access deployment. You configure a SAML identity IdP during configuration of the Cloud Identity Engine to use with the Cloud Authentication Service.
  • The Directory Sync component provides username-to-user group mapping for the authenticated user. You can use this mapping to enforce user- and group-based policy in Prisma Access.

Prerequisites

Before you begin, make sure that you have completed the following prerequisites:
  • Activate the Cloud Identity Engine and create your first tenant.
  • Set up the Cloud Identity Engine.
  • To configure SAML authentication in Microsoft Entra ID, you must register your Prisma Access deployment with Microsoft Entra ID. Microsoft Entra ID authentication is supported with Prisma Access GlobalProtect and Explicit Proxy deployments.