04-24-2025 01:02 AM - edited 04-24-2025 01:03 AM
Hi Team,
Today, I received a new use case from my customer.
In their Prisma Access cloud-managed environment, we have configured SAML authentication for SSL VPN connectivity.
Now, the customer has a new requirement: one of their clients needs access to their private application.
The question is—what's the best solution to provide this client with access to the private application?
We know that GP needs to be connected to access the application, but the concern is around authentication.
Can we create a separate SAML authentication profile for this specific client? OR, create users in their IdP, assign them to a specific group, and synchronize it with the SP.
Looking forward to your insights
regards,
Akash Thangavel
Network Security Engineer
05-05-2025 06:38 PM
Me too. We are using Entra ID as IDP for GP authentication right now. We have our own ADFS infrastructure on-premise and need to design an alternative IDP in case Entra ID has some global service outage.
05-06-2025 06:41 AM
for 1 single user it may be worth adding a 'contractor' (guest) account in their own entraID to keep things simple?
alternatively you could look into Cloud Identity Engine as you can aggregate authentication there and possibly can integrate the client's IdP as well
the Prisma Access Browser may also be a good solution to grant access to contractors without needing to allow VPN tunnels
05-08-2025 08:53 PM
Yes it is achievable. u can achieve this use case to integrate 2 IDP- using SAML with CIE and then use CIE for auth for global protect users.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
