This guide provides instructions to integrate Prisma Access with Beyond Identity to deliver secure and frictionless authentication for your extended workforce, contractors, consultants, agents, and suppliers.
Prisma Access integrates with Beyond Identity Secure Workforce using SAML 2.0 protocol. Prisma Access acts as the SAML Service Provider and Beyond Identity acts as the SAML Identity Provider. Global Protect Cloud Services mobile agent uses this integration to login passwordlessly to Prisma Access.
How this integration works
Prerequisites
Prisma Access tenant
Beyond Identity Secure Workforce tenant (with users configured and enrolled)
Configure Beyond Identity
To configure Beyond Identity as the SAML Identity Provider:
Login to Beyond Identity Admin console.
Go to Integrations > SAML.
Click Add SAML Connection.
Enter the following values
Name: Beyond Identity IdP-Global Protect
SP Single Sign-on URL: https://<prisma_access_tenant_name>.gpcloudservice.com:443/SAML20/SP/ACS
SP Audience URI: https://<prisma_access_tenant_name>.gpcloudservice.com:443/SAML20/SP
Name ID format: unspecified
Subject User Attribute: UserName
Request Binding: http redirect
Authentication Context Class: X509
Signed Response: Signed
Click Save Changes.
On the right side of the newly created entry, click the Download Metadata icon to download the metadata file.
Configure Prisma Access
To configure Prisma Access as the SAML Service Provider:
Log into the Prisma Access Admin UI.
Go to Manage > Configuration > Identity Services > Authentication.
Select Mobile Users > GlobalProtect using the drop-down next to Authentication.
Go to Authentication Profiles.
Click Add Profile.
Enter "Beyond Identity IdP - GlobalProtect" as the Profile Name.
Click Import MetaData.
Click Choose File and select the metadata file downloaded from the Beyond Identity Admin console.
Click Import.
Click Save.