Prisma Access - CIE multi profile - breaks SSO

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Prisma Access - CIE multi profile - breaks SSO

L1 Bithead

Hello all . 

Seem to be casting into an empty pool here but will try anyway. 


My issue is with Multi Auth profiles using Global Protect & Prisma Access. 


If you use more than one IDP you can only match against one profile , hence you can't use multi profile. 


So recommended is CIE multi Auth .

You setup your IDPs in here , easy peasy  and it works. 

Only problem is when  you authenticate against  the CIE multi Auth . 


You get a new PAlo Alto landing page which requires you to enter your user ID so CIE can work out which IDP to point you towards. 


This breaks SSO completely . SO , if like me you allow Windows authentication FIRST  before GP starts , CIE does not use the already granted token because it does not know which directory to point it at , hence you have to enter a users name,, it then is able to see the token is valid and  authentication is satisfied and we move on .

Pretty dumb as is completely break SSO . The only option is to move from a working fully integrated IDP to one where users have to enter their user ID.


TAC tells me this is expected behaviour . I can't believe this is actually true as it makes no sense at all to break SSO . 


As usual there is no documentation (or I cant find it) on how to configure Mutli Auth profiles to cater for this limitation. 


There might be some Kung Fu in global protect thats allows it ?


Anyone else seen this ?????



HELP !!!


L1 Bithead

BUMP !!!!


Hello Elizabeth32. 


Finally got some traction on it . My SE Rob has been excellent. 


It is expected behaviour. Ergo  SSO gets broken on purpose. 

The reasoning on this seem to be that CIE cannot interpret the token . So the defined method is to add a proxy type layer where the users inserts their username into a  landing page and CIE directs accordingly . 

The workaround is to use the default browser on the endpoint and create a dummy record  in the password management  of the browser for the  CIE landing page, this automatically completes the users input but there is still a  submit button . 

It is a work around for now but it still breaks SSO . 

My SE setup a meeting with the IAM guru for Europe and we went through the scenario , it is a  weaknesses which is well recognised by Palo . 

Seems the best way is to be able to assign an authentication profile to the Global Protect policy which takes away the need to  have that proxy landing page  and does away with the multi profile CIE policy .

They have actually put. a change request in for this or something similar. 

Very positive input from Palo . Just a huge shame TAC were not aware of how this works and took ages to try and diagnose. 




  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!