With Palo Alto Networks’ Cloud Identity Engine, customers can harness multi-authentication to perform intelligent group-based authentication.
Things have changed dramatically in identity and access management over the last couple of years. Enterprises are transitioning to a remote-first or hybrid workforce, and there is increasing demand for cloud authentication (e.g. SAML-based cloud identity providers like Azure and Okta). Many have two or more authentication types; for example, they may be leveraging certificate-based authentication in addition to SAML. Others may have a second identity provider instance or vendor for acquired companies or contractors.
Suffice to say, things have become more complicated.
Before our PAN-OS Nebula release, identity administrators relied on operating systems as a proxy or were forced to deploy multiple portals to serve their workforce when deciding what authentication mechanism to use to give employees access to the company network.
At Palo Alto Networks, our goal is to make your identity and access management system more simple and secure in the face of this new complexity.
Enter: Multi-authentication via Cloud Identity Engine
The Palo Alto Networks identity team has been hard at work building Cloud Identity Engine to simplify identity across infrastructure and enable easy authentication and authorization through the cloud. As of our new Nebula release, customers can use Cloud Identity Engine to associate each group in the customer’s directory (like on-prem Active Directory and/or Azure Active Directory) with the appropriate authentication type for that group. This is all organized under a single authentication profile which can be utilized by our NGFWs,Panorama, and GlobalProtect. For example, customers can have their product management employee group authenticate with SAML through Okta, a contractor group authenticate with SAML through Ping, and another group authenticate via certificate-based authentication—all under one authentication profile.
There are three situations in which admins would use multi-authentication. Admins might leverage multiple SAML providers, multiple certificates, or a mixed system where some groups are set to authenticate with a SAML-based identity provider and others are set to authenticate via certificate-based authentication. In any case, the admin no longer needs to configure a different GlobalProtect or authentication portal. All users can authenticate through the same portal.
Multi-authentication requires PAN-OS 10.1+ and GlobalProtect 6.0+.