* [Blog](https://www.paloaltonetworks.com/blog)
* [SASE](https://www.paloaltonetworks.com/blog/sase/)
* [Mobile Users](https://www.paloaltonetworks.com/blog/sase/category/mobile-users/)
* Prisma Access Configures ...

# Prisma Access Configures Cloud-Based and On-Prem Authentication

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsase%2Fimprove-cloud-based-on-prem-authentication-posture%2F)  
[](https://twitter.com/share?text=Prisma+Access+Configures+Cloud-Based+and+On-Prem+Authentication&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsase%2Fimprove-cloud-based-on-prem-authentication-posture%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsase%2Fimprove-cloud-based-on-prem-authentication-posture%2F&title=Prisma+Access+Configures+Cloud-Based+and+On-Prem+Authentication&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/sase/improve-cloud-based-on-prem-authentication-posture/&ts=markdown)  
\[\](mailto:?subject=Prisma Access Configures Cloud-Based and On-Prem Authentication)  
Link copied  
By [Suresh Sangiah](https://www.paloaltonetworks.com/blog/author/suresh-sangiah/?ts=markdown "Posts by Suresh Sangiah")  
Feb 13, 2023  
4 minutes  
[Mobile Users](https://www.paloaltonetworks.com/blog/sase/category/mobile-users/?ts=markdown)  
[Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown)  
[Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)  
[Cloud Identity Engine](https://www.paloaltonetworks.com/blog/tag/cloud-identity-engine/?ts=markdown)  
[Prisma Access](https://www.paloaltonetworks.com/blog/tag/prisma-access/?ts=markdown)  
[Secure hybrid workforce](https://www.paloaltonetworks.com/blog/tag/secure-hybrid-workforce/?ts=markdown)  
[ZTNA 2.0](https://www.paloaltonetworks.com/blog/tag/ztna-2-0/?ts=markdown)

This post is also available in: [日本語 (Japanese)](https://www.paloaltonetworks.com/blog/sase/improve-cloud-based-on-prem-authentication-posture/?lang=ja "Switch to Japanese(日本語)")

The adoption of cloud-based identity providers (IdPs) has grown exponentially in the past several years. The reason for this level of growth is largely due to the desire of most businesses to migrate from on-prem to the cloud to manage user identities.

Enterprises are adopting cloud-based identity providers (IdPs) for their ability to tightly control access and centrally increase security with password complexity management, multi-factor authentication (MFA), and single sign-on (SSO) without negatively impacting availability, reliability, or scalability.

However, migrating from on-prem authentication methods (such as RADIUS, LDAP, and Kerberos) to cloud authentication methods (e.g. SAML with Azure AD, Okta, Google Identity) can be a time-consuming and resource-intensive effort that can lead to delayed projects. Organizations need ways to navigate the complexity of hybrid and distributed identity stores without compromising end user security.

[Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown), our flagship cloud-delivered security platform, now provides organizations two key solutions to help navigate deployment complexity and gradually migrate users to cloud authentication:

1. [Multiple Portal Authentication Support](https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-advanced-deployments/mobile-user-globalprotect-advanced-deployments/configure-multiple-portals-in-prisma-access) allows organizations to configure cloud authentication and on-prem authentication within a single Prisma Access instance. The co-existence of on-prem and cloud authentication within Prisma Access helps enable the gradual migration of user authentication from on-prem to cloud.
2. [Cloud Authentication Service with Cloud Identity Engine](https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/authenticate-users-with-the-cloud-identity-engine)integrates with multiple identity providers from a single interface and simplifies authentication with cloud IdPs to help solve operational challenges.

## Multiple Portal Authentication Support

[Multiple Portal Authentication Support](https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-advanced-deployments/mobile-user-globalprotect-advanced-deployments/configure-multiple-portals-in-prisma-access) enables IT administrators to configure two mobile user GlobalProtect portals on the same Prisma Access tenant. For example, a customer who wants to migrate from RADIUS to SAML can enable Multiple Portal Authentication Support to activate an additional portal on their Prisma Access instance.

Portal 1 can service existing RADIUS-authenticated users without service disruption while Portal 2 can be enabled for SAML authentication.

The customer can use Portal 2 to test SAML authentication for a subset of its users, gradually rolling it out to other uses with a simple portal change on the GlobalProtect agent.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/02/word-image-179779-1.jpeg)

*Fig 1: Both RADIUS and SAML portals are active within a singular Prisma Access instance.*

## Cloud Authentication Service with CIE

[Cloud Identity Engine](https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/techbriefs/cloud-identity-engine&ts=markdown)(CIE) provides network security teams a single implementation point to manage MFA for both on-premises and cloud IdP. CIE integrates with one or more IdPs in a few clicks, eliminating the frustration of configuring IdPs on individual security devices.

Prisma Access now supports CIE multi-authentication. CIE [Multi Authentication](https://live.paloaltonetworks.com/t5/blogs/supercharge-your-identity-system-with-multi-authentication-in/ba-p/481319) allows companies to configure a single authentication profile with SAML 2.0 and multiple certificate authentication methods or identity providers.

For example, a single GlobalProtect authentication flow can be completed with Okta, Azure Active Directory, or certificate-based authentication, depending on which user is trying to gain access. This is essential when multiple IdPs with multiple authentication types are present on a network.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/02/word-image-179779-2.jpeg)

*Fig 2: Cloud Identity Engine simplifies cloud authentication setup and management for multiple IdPs.*

## Identity Security and ZTNA 2.0

Check out the latest [Prisma Access](https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-release-notes/prisma-access-about/features-in-prisma-access) and [Cloud Identity Engine](https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-release-notes) release notes to learn more about the innovations we are driving around identity on Prisma Access. Identity is a fundamental component of a Zero Trust framework and an essential component of [ZTNA 2.0](https://www.paloaltonetworks.com/sase/ztna?ts=markdown). Simplifying identity security across hybrid identity stores enables a unified security product to deliver Zero Trust outcomes with Zero Exceptions.

Cloud Identity Engine aligns with principles of least privilege access by allowing customers to associate each group in their directory with the appropriate authentication type for that group. For example, customers can have their product management employee group authenticate with SAML through Okta, a contractor group authenticate with SAML through PingID, and another group authenticate via certificate-based authentication---all under one authentication profile. This approach greatly simplifies identity security while ensuring consistent security across hybrid organizations with hybrid workforces.

[Get started](https://start.paloaltonetworks.com/zero-trust-with-zero-exceptions) exploring how ZTNA 2.0 on Prisma Access can help secure today's hybrid enterprises and workforces.

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Extending Our SASE Leadership with Next-Gen CASB Innovations](https://www.paloaltonetworks.com/blog/2022/08/sase-leadership-with-next-gen-casb-innovations/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Mobile Users](https://www.paloaltonetworks.com/blog/sase/category/mobile-users/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Why ZTNA 1.0's Allow-and-Ignore Model Is a Recipe for Disaster](https://www.paloaltonetworks.com/blog/2022/05/allow-and-ignore-model-is-a-recipe-for-disaster/)

### [Mobile Users](https://www.paloaltonetworks.com/blog/sase/category/mobile-users/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/sase/category/use-cases/?ts=markdown)

[#### Improve Microsoft Teams Meeting Performance with ADEM](https://www.paloaltonetworks.com/blog/sase/improve-microsoft-teams-meeting-performance-with-adem/)

### [Cloud-delivered Security](https://www.paloaltonetworks.com/blog/sase/category/cloud-delivered-security/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/category/zero-trust-security/?ts=markdown)

[#### Prisma Access \& Cloud Dynamic User Groups Find Risky Users](https://www.paloaltonetworks.com/blog/sase/prisma-access-cloud-dynamic-user-groups-find-risky-users/)

### [Mobile Users](https://www.paloaltonetworks.com/blog/sase/category/mobile-users/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Consistent Data Protection Requires a New Approach to Securing Access](https://www.paloaltonetworks.com/blog/2022/06/consistent-data-protection-requires-a-new-approach/)

### [Cloud-delivered Security](https://www.paloaltonetworks.com/blog/sase/category/cloud-delivered-security/?ts=markdown), [Mobile Users](https://www.paloaltonetworks.com/blog/sase/category/mobile-users/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### ZTNA 1.0's Security Inspection Problem](https://www.paloaltonetworks.com/blog/2022/06/security-inspection-problem/)

### Subscribe to Sase Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language