graph TD A[User tries to log into Personal SaaS Tenant] --> B{PAN-OS Firewall}; subgraph Firewall Processing B -- 1. Decrypt HTTPS Login --> C[Decrypt Traffic]; B -- 2. Policy Match Login Domain --> D[Security Policy Rule]; D -- Apply Profile --> E[HTTP Header Insertion Profile]; E -- Insert Header --> F(Add 'Restrict-Access-To-Tenants: '); end B --> G[Modified Login Request with Header]; G --> H((SaaS Provider Login Service)); H -- Header Check: User Tenant != Corp Tenant --> I{Access Denied by SaaS Provider}; I --> B; B --> A;