Configure Cloud Identity Engine Authentication on the Firewall or Panorama

Configure an authentication profile to use the Cloud Authentication Service.
On the firewall, select
Device
Authentication Profile
.

Enter a
Name
for the authentication profile.
Select
Cloud Authentication Service
as the
Type
.
Select the
Region
of your Cloud Identity Engine tenant.
For more information on regions, refer to Activate the Cloud Identity Engine.
Select the Cloud Identity Engine
Instance
you want to use for this authentication profile.
For more information on Cloud Identity Engine tenants, refer to Cloud Identity Engine Tenants.
Select an authentication
Profile
that specifies the authentication type you want to use to authenticate users.
Specify the
Maximum Clock Skew (seconds)
, which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
Select
Force multi-factor authentication in cloud
if your IdP is configured to require users to log in using multi-factor authentication (MFA).
(Required for authentication policy rule only) Configure the Authentication Portal settings to use the authentication profile.
Select
Device
User Identification
Authentication Portal Settings
.
Edit
the settings and select the
Authentication Profile
from the first step.
Select
Redirect
as the
Mode
.
For more information on how to configure redirect mode, refer to Configure Authentication Portal.
Click
OK
.
(Required for authentication policy rule only) Create an Authentication Enforcement object that uses the authentication profile to redirect users to log in using their authentication type.
Select
Objects
Authentication
.
Add
an Authentication Enforcement object and enter a
Name
for the object.
Select
web-form
as the
Authentication Method
.
Select the
Authentication Profile
from the first step.
(Optional) Enter a
Message
to display to users.
Click
OK
.
Create a URL list as a custom URL category to allow the necessary traffic for the Cloud Identity Engine.
If you don’t need to strictly limit traffic to your region, you can enter
*.apps.paloaltonetworks.com
. Otherwise, determine your region-based URL using the
show cloud-auth-service-regions
command to display the URLs for the region associated with your Cloud Identity Engine tenant and enter each region-based URL. The following table includes the URLs for each region:
Region	Cloud Identity Engine Region-Based URL
United States	cloud-auth.us.apps.paloaltonetworks.com cloud-auth-service.us.apps.paloaltonetworks.com
Europe	cloud-auth.nl.apps.paloaltonetworks.com cloud-auth-service.nl.apps.paloaltonetworks.com
United Kingdom	cloud-auth.uk.apps.paloaltonetworks.com cloud-auth-service.uk.apps.paloaltonetworks.com
Singapore	cloud-auth.sg.apps.paloaltonetworks.com cloud-auth-service.sg.apps.paloaltonetworks.com
Canada	cloud-auth.ca.apps.paloaltonetworks.com cloud-auth-service.ca.apps.paloaltonetworks.com
Japan	cloud-auth.jp.apps.paloaltonetworks.com cloud-auth-service.jp.apps.paloaltonetworks.com
Australia	cloud-auth.au.apps.paloaltonetworks.com cloud-auth-service.au.apps.paloaltonetworks.com
Germany	cloud-auth.de.apps.paloaltonetworks.com cloud-auth-service.de.apps.paloaltonetworks.com
United States - Government	cloud-auth-service.gov.apps.paloaltonetworks.com cloud-auth.gov.apps.paloaltonetworks.com
India	cloud-auth-service.in.apps.paloaltonetworks.com cloud-auth.in.apps.paloaltonetworks.com
Switzerland	cloud-auth-service.ch.apps.paloaltonetworks.com cloud-auth.ch.apps.paloaltonetworks.com
Spain	cloud-auth-service.es.apps.paloaltonetworks.com cloud-auth.es.apps.paloaltonetworks.com
Italy	cloud-auth-service.it.apps.paloaltonetworks.com cloud-auth.it.apps.paloaltonetworks.com
France	cloud-auth-service.fr.apps.paloaltonetworks.com cloud-auth.fr.apps.paloaltonetworks.com
China	cloud-auth-service.cn.apps.prismaaccess.cn cloud-auth.cn.apps.prismaaccess.cn This region is only accessible in the Cloud Identity Engine within the specified region.
Poland	cloud-auth-service.pl.apps.paloaltonetworks.com cloud-auth.pl.apps.paloaltonetworks.com
Qatar	cloud-auth-service.qa.apps.paloaltonetworks.com cloud-auth.qa.apps.paloaltonetworks.com
Taiwan	cloud-auth-service.tw.apps.paloaltonetworks.com cloud-auth.tw.apps.paloaltonetworks.com
Enter the URLs that your IdP requires for user authentication (for example,
*.okta.com
).
Create a security policy rule to allow traffic to the authentication type and Cloud Identity Engine and select the custom URL category as the match criteria.
Create a internet management profile in the trusted zone and enable response pages.
(Required for authentication policy rule only) Configure an Authentication policy rule to use the Authentication Enforcement object and allow traffic to the custom URL category.
(
Panorama only
) If you use Panorama to manage multiple firewalls, configure the Cloud Identity Engine for Panorama.
Select the Cloud Identity Engine authentication method you want to use with Panorama.
To configure the Cloud Identity Engine in an authentication profile for managed devices, select
Device
Authentication Profile
.
To use the Cloud Identity Engine in an authentication profile for Panorama administrators, select
Panorama
Authentication Profile
.
Select
Panorama
Setup
Management
and
Edit
the
Authentication Settings
, then select the
Authentication Profile
for the Cloud Identity Engine tenant you want to associate with Panorama.
Select
Panorama
Device Groups
and
Add
or
Edit
a device group.
Select the
Cloud Identity Engine
and
Add
the Cloud Identity Engine tenant you want to associate with Panorama then click
OK
.
Commit
your changes and verify that the firewall redirects authentication requests to the Cloud Authentication Service.
On the client device, use the browser to access a webpage that requires authentication.
Confirm that the access request redirects to the Cloud Authentication Service.
Enter your credentials to log in.