Palo Alto Networks SSE Engineer — Question 17

All mobile users are unable to authenticate to Prisma Access (Managed by Strata Cloud Manager) using SAML authentication through the Cloud Identity Engine. Users report that after entering their credentials on the Identity Provider (IdP) login page, they are redirected to the Prisma Access portal without successful authentication, and they receive this error message:
Error: Prisma Access Portal Authentication Failed using CIE-SAML with message “400 Bad Request”
Which action will identify the root cause of this error?

Answer options

• A. Verify the SAML metadata configuration in both Strata Cloud Manager and the IdP portal to confirm that the endpoint URLs and certificates are correctly configured.
• B. Examine the Security policy rules in Prisma Access to ensure that traffic from the IdP is allowed and not blocked.
• C. Verify the SAML metadata configuration in both the Cloud Identity Engine and the IdP portal to confirm that the endpoint URLs and certificates are correctly configured.
• D. Review the Authentication logs in Strata Cloud Manager to check for any SAML error messages or authentication failures.

Correct answer: C

Explanation

The correct answer is C because it focuses on verifying the SAML metadata between the Cloud Identity Engine and the IdP, which is crucial for successful authentication. Options A and D are incorrect as they involve the Strata Cloud Manager instead of the Cloud Identity Engine and do not directly address the specific SAML configuration needed for the IdP. Option B is also incorrect since it addresses the Security policy rather than the SAML metadata issue.