Revision History | |
February 23, 2023 | Initial Deployment Guide |
Table 1: Partner information | |
Date | February 27, 2023 |
Partner Name | Beyond Identity |
Website | www.beyondidentity.com |
Product Name | Beyond Identity Secure Workforce |
Partner Contact |
John Caldwell, Technical Alliance Manager john.caldwell@beyondidentity.com, 617.894.0502 |
Support Contact | support@beyondidentity.com |
Product Description |
Beyond Identity Secure Workforce prevents credential-based breaches by eliminating the largest sources of cyber-attacks and ransomware – passwords and first-generation MFA bypass. By incorporating technology based on the principles of zero trust, it delivers robust multi-factor authentication that eliminates passwords, ensures continuous device integrity, and delivers secure and frictionless authentication for your extended workforce, contractors, consultants, agents and suppliers. |
Table 2: Palo Alto Networks Products for Integration | |||
Palo Alto Networks Product | Integration Status | Palo Alto Networks Versions Tested | Beyond Identity Versions Tested |
AutoFocus | |||
Cortex Data Lake | |||
Cortex XDR | |||
GlobalProtect | |||
IoT Security | |||
Prisma Access | Validated | Prisma Access – February 2023 | Secure Workforce – February 2023 |
Prisma Cloud | |||
Prisma SaaS | |||
MineMeld | |||
Next-Generation Firewall |
|||
Panorama | |||
VM-Series | |||
WildFire | |||
Other |
Use Cases for Integration with Palo Alto Networks
Use Case
Passwordless MFA along with device trust for remote users accessing Prisma Access using GPCS clients.
Use Case
Continuous device posture assessment for users accessing Prisma Access using GPCS clients.
Integration Benefits
- Beyond Identity + Palo Alto Networks provides defense against credential-based attacks.
- Remote users enjoy frictionless access to Prisma Access.
Integration Diagram
Before You Begin
- Customers must have a Beyond Identity Secure Workforce tenant (with users configured and enrolled) and a Prisma Access Tenant.
Beyond Identity Product Configuration
To Configure Beyond Identity as the SAML Identity Provider:
- Login to Beyond Identity admin Console
- Go to Integrations > SAML > Add SAML Connection
- Enter following values
- Name: Beyond Identity IdP-Global Protect
- SP Single Sign-on URL: https://<prisma_access_tenant_name>.gpcloudservice.com:443/SAML20/SP/ACS
- SP Audience URI: https://<prisma_access_tenant_name>.gpcloudservice.com:443/SAML20/SP
- Name ID format: unspecified
- Subject User Attribute: UserName
- Request Binding: http redirect
- Authentication Context Class: X509
- Signed Response: Signed
- Click Save Changes
- Download the metadata file by clicking on the Download Metadata icon </>
Palo Alto Networks Configuration
To configure Prisma Access as the SAML Service Provider:
- Login to Prisma Access Admin UI.
- Go to Manage > Configuration > Identity Services > Authentication
- Select Mobile Users > GlobalProtect using the dropdown next to Authentication
- Go to Authentication Profiles
- Click Add Profile
- Enter Profile Name: Beyond Identity IdP - GlobalProtect
- Click Import MetaData
- Click Choose File and select the metadata file downloaded from the Beyond Identity Admin Console
- Click Import
- Click Save
Troubleshooting
Common troubleshooting steps
- https://support.beyondidentity.com/hc/en-us/sections/6746957130007-Troubleshooting
Contact Information for Support
- https://support.beyondidentity.com
Helpful Resources
- https://www.beyondidentity.com/resources
Technical Details
- Prisma Access integrates with Beyond Identity Secure Workforce using SAML 2.0 protocol. Prisma Access acts as the SAML Service Provider and Beyond Identity acts as the SAML Identity Provider. Global Protect Cloud Services mobile agent uses this integration to login passwordlessly to Prisma Access.
Comments
0 comments
Please sign in to leave a comment.