06-24-2026 02:48 AM
Hi folks,
I have a question regarding GlobalProtect authentication using SAML and Cloud Identity Engine (CIE).
Current setup:
Users authenticate to Prisma Access using SAML.
The Identity Provider is Microsoft Entra ID.
Cloud Identity Engine (CIE) is already integrated with Entra ID and working successfully for Prisma Access users.
What I would like to achieve:
Deploy GlobalProtect on an on-premises Palo Alto firewall.
Reuse the existing CIE tenant and Entra ID integration rather than creating a separate SAML integration directly between the firewall and Entra ID.
I came across the following documentation:
My understanding is that CIE is already acting as the identity source and authentication for Prisma users is currently occurring through Entra ID via SAML. Therefore, if I integrate my on-prem firewall with the same CIE tenant and use the corresponding authentication profile for GlobalProtect, would the firewall be able to leverage the existing SAML authentication flow through CIE?
Or is a separate SAML application/integration between the on-prem firewall and Entra ID still required for GlobalProtect authentication?
Has anyone implemented a similar design or can clarify whether this architecture is supported?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
