What is the authentication flow based on the option set for "Allow Authentication with User Credentials OR Client Certificate"?
9233
Created On 01/21/23 00:06 AM - Last Modified 09/25/25 02:27 AM
Question
What is the authentication flow based on the option set for Allow Authentication with User Credentials OR Client Certificate?
Environment
- On-prem firewalls
- Panorama managed Prisma Access
- GlobalProtect app
- Any client OS
Answer
- Let's say, it is a mixed environment with devices like Windows, macOS, Linux and mobile devices with certificate-based authentication (please refer to this link for this configuration) and SAML authentication enabled for both the portal and gateway
- If Allow Authentication with User Credentials OR Client Certificate option is set to No, then all clients need to have both certificate-based and SAML authentication to be successful
- If Allow Authentication with User Credentials OR Client Certificate option is set to Yes, certificate-based authentication would be the primary authentication method and SAML authentication would be the secondary authentication method. In this case, all clients would first go through certificate-based authentication and only upon failure, they will go through SAML authentication
Panorama managed Prisma Access:
Note: We skip generating the user auth cookie when the certificate with a valid username. The client cert with a username will be processed first and stop us from processing Auth Profile (which is what the Auth-Override-Cookie overrides), given the config "Yes" (=OR).
Additional Information
How To Configure Globalprotect App 5.0 on Apple iOS 12 to use Client certificate for authentication