topic Cloud Identity Engine - Multi Auth Profile in Prisma Access Discussions

Cloud Identity Engine - Multi Auth Profile

gcollins5 — Mon, 11 Dec 2023 10:55:56 GMT

Hello All .

Have a very simple thing I am trying to do but as ever things are not so simple with Palo .

I'm using Prisma SASE and this focus around this question is Cloud ID Engine & Global Protect.

WE are AAD only with no on premise resources .

I currently use Azure AD as my IDP and all is well with it .

Problem happens when I need to add a second Azure AD for a company we are working with .

Should be as simple as create a SEQUENCE auth policy , trouble is , this does not work if you are using SAML.

I have setup the required Enterprise Application - CIE - Authentication .

The way I am told to go is to use a MULTI profile in CIE that points to the two AAD IDP .

I have tested both AAD IDPs in CIE independently and they both work OK .

When I set them up using a MULTI auth profile in CIE it all goes wrong.

Firstly , the MULTI profile attempts to connect again BOTH IDPs which involves multiple authentication attempts ro what seems a proxy Palo Alto portal ,

https://cloud-auth.de.apps.paloaltonetworks.com/sp/acs

It just does not work , the only other way is to joind the AADs together but I a m loathe to do this as PAlo does say it works with a multi profile. Anyone done this ?

Re: Cloud Identity Engine - Multi Auth Profile

KengSeng — Wed, 24 Apr 2024 02:47:04 GMT

Is this fixed? I did see a working scenario, just it will break SSO...

https://live.paloaltonetworks.com/t5/prisma-access-discussions/prisma-access-cie-multi-profile-breaks-sso/td-p/571455

Re: Cloud Identity Engine - Multi Auth Profile

domari — Thu, 02 May 2024 15:21:21 GMT

I understand that you are using CIE with Multiple SAML authentication profiles. My question to you is, are you assigning groups to those different SAML authentications?

Please reference the link below regarding how to configure the multiple authentication profile, starting from step 5.

The way that the authentication sequence works in CIE, you have to assign groups to the authentication types, So if you have different SAML profiles, you need to assign the groups that you would like to authenticate to those SAML profiles. If you have a user matching more than one group that has an assigned authentication type then the CIE selects the authentication type that is closer to the top of the list.

With that said, the authentication mapping in CIE doesn't work like the authentication sequence in NGFW.

- In NGFW, it will check the authentication profiles top down until the user is able to authenticate.

- In CIE, the authentication mapping uses the given userID to obtain the group information for the user to determine if the user’s group has an assigned authentication type. If the user belongs to multiple groups, the Cloud Identity Engine uses the first authentication type you assign to the group for user authentication. Now, if the user is not in an assigned group then it will use the authentication configured in "Default authentication type".

Reference:

https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/authenticate-users-with-the-cloud-identity-engine/set-up-an-authentication-profile#id6c86a9c5-c55a-4ae3-85b1-12888d40afb4

Re: Cloud Identity Engine - Multi Auth Profile

gcollins5 — Fri, 10 May 2024 13:29:12 GMT

Thank you for your reply .

I had this configured as you said .

Issue is CIE can't pick between the different IDPs and it requires manual intervention to pick the right directory .

Re: Cloud Identity Engine - Multi Auth Profile

domari — Fri, 10 May 2024 15:27:20 GMT

I need a little more clarification to understand the problem better.

Lets say you have user 'X' connecting to globalprotect and they get redirected to CIE for authentication.

- Does user 'X' belong to different groups configured under different SAML profiles?

- You noted "it requires manual intervention to pick the right directory". Can you elaborate to how this manual intervention is happening? Is it happening on the web-browser where the user has to pick which IdP they need to authenticate to?

- Side question, do you have a default profile configured?

Re: Cloud Identity Engine - Multi Auth Profile

KengSeng — Mon, 20 May 2024 02:12:04 GMT

This is the screen that I have seen, I have configured the group, else the multi profile wont work. I have also set default profile. The SSO is not seemless compared to pointing to Entra ID directly. Is this fixed?

Re: Cloud Identity Engine - Multi Auth Profile

DickyAnggara — Fri, 28 Feb 2025 09:06:58 GMT

when trying to log in with a different tenant, does an error appear as follows?