12-11-2023 02:55 AM
Hello All .
Have a very simple thing I am trying to do but as ever things are not so simple with Palo .
I'm using Prisma SASE and this focus around this question is Cloud ID Engine & Global Protect.
WE are AAD only with no on premise resources .
I currently use Azure AD as my IDP and all is well with it .
Problem happens when I need to add a second Azure AD for a company we are working with .
Should be as simple as create a SEQUENCE auth policy , trouble is , this does not work if you are using SAML.
I have setup the required Enterprise Application - CIE - Authentication .
The way I am told to go is to use a MULTI profile in CIE that points to the two AAD IDP .
I have tested both AAD IDPs in CIE independently and they both work OK .
When I set them up using a MULTI auth profile in CIE it all goes wrong.
Firstly , the MULTI profile attempts to connect again BOTH IDPs which involves multiple authentication attempts ro what seems a proxy Palo Alto portal ,
https://cloud-auth.de.apps.paloaltonetworks.com/sp/acs
It just does not work , the only other way is to joind the AADs together but I a m loathe to do this as PAlo does say it works with a multi profile. Anyone done this ?
04-23-2024 07:47 PM
Is this fixed? I did see a working scenario, just it will break SSO...
https://live.paloaltonetworks.com/t5/prisma-access-discussions/prisma-access-cie-multi-profile-break...
05-02-2024 08:21 AM
I understand that you are using CIE with Multiple SAML authentication profiles. My question to you is, are you assigning groups to those different SAML authentications?
Please reference the link below regarding how to configure the multiple authentication profile, starting from step 5.
The way that the authentication sequence works in CIE, you have to assign groups to the authentication types, So if you have different SAML profiles, you need to assign the groups that you would like to authenticate to those SAML profiles. If you have a user matching more than one group that has an assigned authentication type then the CIE selects the authentication type that is closer to the top of the list.
With that said, the authentication mapping in CIE doesn't work like the authentication sequence in NGFW.
- In NGFW, it will check the authentication profiles top down until the user is able to authenticate.
- In CIE, the authentication mapping uses the given userID to obtain the group information for the user to determine if the user’s group has an assigned authentication type. If the user belongs to multiple groups, the Cloud Identity Engine uses the first authentication type you assign to the group for user authentication. Now, if the user is not in an assigned group then it will use the authentication configured in "Default authentication type".
Reference:
05-10-2024 06:29 AM
Thank you for your reply .
I had this configured as you said .
Issue is CIE can't pick between the different IDPs and it requires manual intervention to pick the right directory .
05-10-2024 08:27 AM
I need a little more clarification to understand the problem better.
Lets say you have user 'X' connecting to globalprotect and they get redirected to CIE for authentication.
- Does user 'X' belong to different groups configured under different SAML profiles?
- You noted "it requires manual intervention to pick the right directory". Can you elaborate to how this manual intervention is happening? Is it happening on the web-browser where the user has to pick which IdP they need to authenticate to?
- Side question, do you have a default profile configured?
05-19-2024 07:12 PM
This is the screen that I have seen, I have configured the group, else the multi profile wont work. I have also set default profile. The SSO is not seemless compared to pointing to Entra ID directly. Is this fixed?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
