How to configure Prisma Access browser to login using UPN instead of Email.

How to configure Prisma Access browser to login using UPN instead of Email.

2931
Created On 05/09/25 03:38 AM - Last Modified 07/14/25 07:31 AM


Objective


  • Prisma Access browser (PAB) login requires the onboarding using Cloud identity engine with SAML authentication.
  • The default method of identification is email, but UPN (User Principal Name) is also supported.
  • This article provides steps to use UPN instead of Email.

Environment


  • Prisma Access Browser (PAB)
  • Authentication using UPN

Procedure


  1. In CIE (Cloud Identity Engine) > Authentication Type > step 3, username attribute: select either UPN as attribute or username (where the username is selected as UPN on the IDP (identity provider) side). 

CIE UPN attribute in Authentication type

 

  1. In the Prisma Access Browser onboarding, Change the Identification method to UPN.

 

UPN format for identification in PAB 

  1. Once UPN is selected, it is automatically populated into the Email field on the Users page, replacing the traditional Email attribute.
  2. Once the changes are made, Wait for 10 to 15 minutes and then have the use login using UPN. 

Additional Information


Note:

  • PAB  can only accept a valid email format.
  • If the UPN value isn't an email format, PAB will skip the user credentials.
  • This means if the UPN on the IDP side is not in valid email format, UPN cannot be used for PAB login.

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000k9ftKAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language