12-11-2023 02:55 AM
Hello All .
Have a very simple thing I am trying to do but as ever things are not so simple with Palo .
I'm using Prisma SASE and this focus around this question is Cloud ID Engine & Global Protect.
WE are AAD only with no on premise resources .
I currently use Azure AD as my IDP and all is well with it .
Problem happens when I need to add a second Azure AD for a company we are working with .
Should be as simple as create a SEQUENCE auth policy , trouble is , this does not work if you are using SAML.
I have setup the required Enterprise Application - CIE - Authentication .
The way I am told to go is to use a MULTI profile in CIE that points to the two AAD IDP .
I have tested both AAD IDPs in CIE independently and they both work OK .
When I set them up using a MULTI auth profile in CIE it all goes wrong.
Firstly , the MULTI profile attempts to connect again BOTH IDPs which involves multiple authentication attempts ro what seems a proxy Palo Alto portal ,
https://cloud-auth.de.apps.paloaltonetworks.com/sp/acs
It just does not work , the only other way is to joind the AADs together but I a m loathe to do this as PAlo does say it works with a multi profile. Anyone done this ?
