Focus

Cloud Identity Engine Getting Started

Configure SCIM Connector for the Cloud Identity Engine

Table of Contents

Configure SCIM Connector for the Cloud Identity Engine

As part of the Cloud Identity Engine, Directory Sync connects to your directory to obtain user and group information for user identification and enforcement for group-based and user-based Security policy.

Configuring the System for Cross-Domain Identity Management (SCIM) protocol for Directory Sync in the Cloud Identity Engine allows you to customize what attributes Directory Sync collects from your directory. You can add or remove attributes in your directory portal to customize which attributes you want to share with the Cloud Identity Engine for user and group identification.

The SCIM gallery app does not support the userType attribute.

Configuring your directory to use the SCIM Connector with the Cloud Identity Engine requires completing all necessary steps in both the Cloud Identity Engine and in the portal for your specific SCIM client. If you encounter any issues with the SCIM Connector setup, learn how to Troubleshoot Cloud Identity Engine Issues.

Set up SCIM Connector in the Cloud Identity Engine app and complete the predeployment steps for your SCIM client.
1. Complete the predeployment steps for your SCIM client.
  Configure Azure Active Directory for SCIM Connector
  Configure PingFederate for SCIM Connector
  Configure Okta Directory for SCIM Connector
2. In the Cloud Identity Engine app, select Directory SyncDirectoriesCloud DirectorySet UpSCIM.
3. Select the SCIM Client you want to use:
  Azure AD—Configure an Azure Active Directory to use the SCIM Connector. Be sure to complete the predeployment steps in the Azure Portal to Configure Azure Active Directory for SCIM Connector.
  PingFederate—Configure a PingFederate server to use the SCIM Connector. Be sure to complete the predeployment steps in the PingFederate portal to Configure PingFederate for SCIM Connector.
  Okta—Configure an Okta Directory to use the SCIM Connector. Be sure to complete the predeployment steps in the Okta Administrator Dashboard to Configure Okta Directory for SCIM Connector.
In the portal for your SCIM client, obtain the necessary information you must enter to configure the SCIM Connector in the Cloud Identity Engine.
Enter the necessary information in the Cloud Identity Engine to configure your directory to use SCIM with Directory Sync.
1. Enter the Directory ID (up to 40 alphanumeric characters, including hyphens) and Directory Name (up to 50 lowercase alphanumeric characters including periods, hyphens, and underscores) that you copied from your directory portal.
  For the Directory ID in the Cloud Identity Engine:
  For Azure, use the Tenant ID.
  For Ping, use the System ID.
  For Okta, use the Directory Name.
  
  For Okta, Palo Alto Networks recommends using the Directory Name, but you can enter any name (up to 40 alphanumeric characters, including hyphens).
  
  For the Directory Name in the Cloud Identity Engine:
  For Azure, use the Primary Domain.
  For Ping, use the User.
  For Okta, use the Okta Domain.
2. Copy the Base URL and save it in a secure location.
3. Click Generate Bearer Token then copy the token that the Cloud Identity Engine generates for your Authorization Method and save it in a secure location.
  
  Before continuing to the next step and submitting the changes, make sure to save the token in a location where you can easily retrieve it to enter it in your SCIM client directory portal. If you submit the changes in the Cloud Identity Engine app before you generate and save the token, you must generate a new token in the Cloud Identity Engine app and enter the new token in the directory portal.
4. Click Submit to commit your changes.
  
  You must click Submit to create the configuration in the Cloud Identity Engine app before continuing the configuration in the IdP, then return to the Cloud Identity Engine app and complete a full sync of the entire directory before the configuration is complete.
Select the check box and click OK to confirm your acknowledgment of the postconfiguration requirements then return to the portal for your SCIM client to complete the postconfiguration steps.
After completing the steps in both the Cloud Identity Engine app and your directory portal, you can now use the SCIM Connector to collect attributes from your directory. To learn which attributes the SCIM Collector collects, see the Cloud Identity Engine Attributes.

Configure Azure Active Directory for SCIM Connector

You must also complete the required steps in the Azure Active Directory (AD) Portal to complete the SCIM Connector configuration. For more information, refer to the documentation for the Azure AD SCIM Connector.

Complete the predeployment steps to add a new application in the Azure Portal then obtain the necessary information to configure SCIM for Directory Sync.

Azure Active Directory (AD) SCIM provisioning requires that the group attribute displayName is unique. If more than one group uses the displayName attribute, the initial sync isn't successful and the data for the duplicate group names might only be partially retrievable. If you don't use the duplicate groups in Security policy, then you can proceed. If you use the duplicate group names in Security policy, you must resolve the issue by modifying the displayName attribute in your Azure Active Directory (AD) to ensure that it’s unique.
1. Log in to the Azure Portal.
2. Select Overview (if it'sn’t already selected), copy the Tenant ID, and save it in a secure location.
3. Copy the Primary domain and save it in a secure location.
4. Select Enterprise applicationsAll applicationsNew application.
5. To Search application(s), enter Palo Alto Networks SCIM Connector.
6. Select Palo Alto Networks SCIM Connector and Create the application.
  
  If you encounter an error when creating the application, refer to Troubleshoot Cloud Identity Engine Issues.
7. Return to the Cloud Identity Engine app to continue the SCIM Connector setup.
  
  You must complete the setup in the Cloud Identity Engine before you can successfully Test Connection in the Azure Portal.
8. After you submit the SCIM Connector configuration in the Cloud Identity Engine app, continue to the next step.

Configure your Azure Active Directory (AD) to use SCIM Connector to connect to the Cloud Identity Engine.

Log in to the Azure Active Directory (AD) Portal.
Select Enterprise Applications then select the Palo Alto Networks SCIM Connector application.
Select Provisioning and click Get Started.
Select Automatic as the Provisioning Mode.

Enter the following information from steps 3.b and 3.c in the fields as indicated in the following table:

Copy from Cloud Identity Engine	Enter in Azure Portal
Base URL	Tenant URL
Authorization Method Bearer token	Secret Token

Save your changes.
(Optional but recommended) Click Test Connection to confirm that the Azure Active Directory (AD) can successfully communicate with the Cloud Identity Engine app.

You must complete the setup in the Cloud Identity Engine before you can successfully Test Connection in the Azure Portal.

Manage the users, groups, and attributes that the Azure Active Directory (AD) provisions to the Cloud Identity Engine app.

If you choose to sync only specific groups and those groups contain subgroups, add the parent group first, then add any child groups. If you do not manually add the child groups of any parent groups, the Cloud Identity Engine syncs only the parent group. You do not need to manually add users as the Cloud Identity Engine sync users in groups, just any child groups of parent groups where you want to sync both groups.
1. In the Azure Portal, select ProvisioningEdit Provisioning.
2. Select Mappings then select whether you want to edit the attributes when you Provision Active Directory Groups or Provision Active Directory Users.
  
  For optimal performance, Palo Alto Networks strongly recommends provisioning only the groups that you want to use the SCIM Connector. If you're using Prisma® Access with the Cloud Identity Engine, make sure that you provision any groups that you use in your Security policy to ensure it applies your Security policy correctly.
3. Delete any attributes that you don’t want to provide to the Cloud Identity Engine app.
4. (Optional) Click Add new mapping to add a new mapping that you want Azure Active Directory (AD) to use to identify users for the Cloud Identity Engine.
5. (Optional) By default, the Cloud Identity Engine only synchronizes the users and groups you assign to this app in the Azure Portal. You can optionally synchronize all users and groups (SettingsSync all users and groups).
6. Save your changes when they are complete.
Allow Azure Active Directory (AD) to provide the information to the Cloud Identity Engine and verify that the Cloud Identity Engine uses SCIM to obtain the Azure Active Directory (AD) information.
1. In the Azure Portal, verify you’ve completed all the provisioning steps in the documentation for the Azure AD SCIM Connector.
2. Select the name of the app that you configured in the first step then select ManageProvisioningStart Provisioning to begin providing attributes to the Cloud Identity Engine.
3. Wait until the sync is complete (Initial cycle completed) then View provisioning details.
4. Verify that the synchronization was successful by confirming the timestamps (Completed and Steady state achieved) and verifying that the number of Users and Groups displays.
  
  If the number of users and groups does not display, refer to Troubleshoot Cloud Identity Engine Issues.
5. In the Cloud Identity Engine app, verify that the SCIM Change Timestamp for your Azure SCIM directory populates on the Directories page.
6. Select ActionsFull Sync to complete a full synchronization of your Azure Active Directory with Directory Sync for the Cloud Identity Engine.
  
  You must successfully complete a full sync in the Cloud Identity Engine app to complete the SCIM Connector setup.

Configure PingFederate for SCIM Connector

Complete the following steps to configure the Cloud Identity Engine to use the SCIM Connector to connect to your PingFederate server. Be sure to complete all the steps in the PingFederate SCIM Connector documentation as well.

Set up the directory for SCIM Connector.
1. Log in to the PingFederate portal and select Data Stores then click Add New Data Store.
2. Enter a Data Store Name and select Directory (LDAP) as the Type.
3. Enter the Hostname(s) (including the port number).
4. Enter a valid email address as the User DN.
5. Click Test Connection to verify the connection is successful.
  
  If the connection test isn't successful, verify that the hostname and email address are valid. Some directories, such as PingDirectory, format the User DN as cn=administrator. In this case, select Use LDAPS and use a different port number, such as 1636, instead of the default port number of 389.
6. Copy and edit the System ID then paste the edited value in the Cloud Identity Engine app as the Directory ID.
  
  You must edit the System ID to remove the LDAP- that precedes the Directory ID value before entering the value as the Directory ID in the Cloud Identity Engine app.
7. Copy and edit the User value and edit the edited value in the Cloud Identity Engine app as the Directory Name.
  
  For the Directory Name, use the domain name that follows the username in the User column (for the example below, the Directory Name is the value after Administrator@).
Provision the SCIM connection.
1. Select SP ConnectionsCreate Connection.
2. Select Do not use a template for this connection.
3. Select Outbound provisioning.
4. Select SCIM Connector.
  
  If the SCIM Connector option isn’t available, confirm that you completed all substeps in the previous step correctly.
5. Select General Info and enter a Partner’s Entity ID (Connection ID) and a Connection Name.
6. (Optional but recommended) To decrease the amount of time necessary for the initial sync, select Outbound ProvisioningConfigure ProvisioningManage ChannelsChannel ConfigurationChannel Info and increase the value for Max Threads.
  
  The range is recommended range is 1–5; for optimal sync time, Palo Alto Networks recommends 5 as the value for Max Threads.
Specify the information from the Cloud Identity Engine for the SCIM connection provisioning.
1. Select Outbound ProvisioningConfigure Provisioning.
2. Select the SP Connections Target tab and enter the Base URL that you copied from the Cloud Identity Engine.
3. Select ApplicationsSP ConnectionsSP ConnectionConfigure ChannelsManage Channels.
4. Select OAuth 2 Bearer Token as the Authentication Method and enter the Bearer Token that you copied from the Cloud Identity Engine as the Access Token.
5. Select Common Name as the Group Name Source.
6. Select Use patch for group updates.
Configure the channels for the SCIM connection.
1. Select Configure Channels and Create a channel.
2. Enter a Name for the channel and select the directory you want to configure in the Cloud Identity Engine as the Active Data Store.
3. Select Source Location and enter the Base DN for your directory.
4. Enter the Group DN for the source of the user and group mappings or create a filter that specifies which entries to use. For example, Group DN:CN=Chicago,OU=Illinois,DC=example,DC=com syncs all users and groups in the Chicago group.
5. If you use a Group DN and your directory contains nested groups, select Nested Search.
  Retention of nested group hierarchies from PingFederate servers through the SCIM Connector isn’t available. If your directory contains nested groups and you want to sync all of the child users and groups, you must select the method you want to use to ensure the Cloud Identity Engine correctly collects all users and groups in the parent group.
  Add the parent group as a member of a different group and use that container group as the Group DN. For example, configure the parent group in a directory with the name root in an OU with the name location and use the value CN=root,OU=location,DC=paloaltonetworks,DC=com for the Group DN.
  Add a filter that includes all members of the parent group (for example, (objectClass=user),(objectClass=group) includes all users and groups in the Base DN DC=paloaltonetworks,DC=com).
6. Select Attribute Mapping and Edit the userName* to userPrincipalName.
7. Save the connection and continue the configuration in the Cloud Identity Engine.
Complete the postdeployment steps to configure the PingFederate server for the SCIM Connector.
1. Verify that you’ve completed all of the provisioning steps.
2. In the PingFederate Portal, either commit a directory change or enter the following command: pingfederate/bin/provmgr.sh --reset-all -c [channel number] command.
  
  To determine the channel number, use the ./provmgr.sh --show-channels command.
3. In the Cloud Identity Engine, verify the app populates the SCIM Change Timestamp then complete a full sync (ActionsFull Sync).

Configure Okta Directory for SCIM Connector

You must also complete the required steps in the Okta Administrator Dashboard to complete the SCIM Connector configuration. For more information, refer to the documentation for the Okta Directory.

The SCIM Connector for Okta directory supports the following capabilities:

Create users
Update user attributes
Deactivate users
Import users
Import groups
Sync password
Group push

Log in to your Okta Administrator Dashboard and add the integration using the Okta Integration Network.
1. Log in to the Okta Administrator Dashboard, select Applications, and click Browse App Catalog.
2. Enter Palo Alto Networks SCIM as the search query.
3. Select the app and click Add Integration.
4. Optionally change any settings, such as the Application Label, then click Done.
5. Copy your Okta domain name.
Configure the Okta integration to communicate with the Cloud Identity Engine.
1. Select Provisioning.
2. Click Configure API Integration.
3. Select Enable API integration.
4. Enter the URL you copied in step 3.b as the Base URL.
5. Enter the token you copied in step 3.c as the API Token.
6. Click Test API Credentials to verify the Okta Directory can successfully communicate with the Palo Alto Networks SCIM integration then click Save.
  
  If the test is not successful, verify that you successfully submitted your configuration in the Cloud Identity Engine app in step 3.d.
Assign the Okta integration to the users you want to include in your Security policy.
1. Edit the settings to assign Provisioning to App.
2. Enable all the options and Save your changes.
3. Select the Push Groups tab then click the Find Groups button to Find groups by name.
4. Type the name of a group to Push groups by name.
5. Select the group and Save your changes.
Verify the configuration.
1. In the Cloud Identity Engine app, select Directories and verify that the timestamp displays in the SCIM Change Timestamp column for the Okta SCIM directory.
2. Select Actions Full Sync for the directory.
  
  The configuration isn’t complete until you’ve successfully completed a full sync for the entire directory.

Configure a Custom Okta App Integration for SCIM Connector

Palo Alto Networks strongly recommends using the Okta gallery app to Configure Okta Directory for SCIM Connector. If you want to use a custom Okta app integration, complete the following steps.

Log in to your Okta Administrator Dashboard and Create an app integration.
1. Select SAML 2.0 as the Sign-in method and click Next.
2. Enter a unique App Name and optionally enter any other information (such as an App Logo or App Visibility) then click Next.
3. Enter the Single-sign on URL where you want to redirect users to sign in and the Audience URI (SP Entity ID) then click Next.
4. Select the option that best reflects your use of the SCIM Connector app integration and click Finish.
Configure the Okta SCIM Connector app integration.
1. Select General (if it is not already selected) and Edit the App Settings.
2. Select SCIM as the Provisioning method and Save your changes.
Configure provisioning for the Okta SCIM Connector app integration.
1. Select Provisioning and Edit the SCIM Connection settings.
2. Enter the Base URL you copied from the Cloud Identity Engine app in Step 3.b as the SCIM connector base URL.
3. Enter userName as the Unique identifier field for users.
4. Select the Supported provisioning actions you want to use to allow users to authenticate.
5. Select HTTP Header as the Authentication Mode.
6. Enter the Bearer Token you copied from the Cloud Identity Engine app in Step 3.c and Save your changes.
7. Select Provisioning and Edit the settings.
8. Select at least one of the options for Provisioning to App and Save your changes.
Assign the users and groups that you want to use the Okta SCIM Connector app integration.
1. Select AssignmentsAssignAssign to People to assign the users you want to use Okta SCIM.
2. Select the users for whom you want to Assign this app.
3. Review and edit the information as needed then click Save and Go Back.
4. Verify the users you added display on the Assignments tab.
5. Select Push Groups then Find groups by name to assign groups to this app.
6. Select the group you want to assign to this app then click Save and add another. Repeat as needed until all the groups you want to assign to this app have been selected then click Save.
Verify the configuration.
1. Select Reports System Log.
2. Verify that log results display to confirm that the SCIM Connector can successfully communicate with your directory. If no results populate, the SCIM Connector cannot communicate with your directory; verify the configuration and make any needed changes, then check the log results again.
  
  Verify that this step is complete before continuing to the next step. Until the log results display in the Okta Administrator Dashboard, a full sync cannot successfully complete for the directory in the Cloud Identity Engine app.
3. In the Cloud Identity Engine app, select Directories and verify that the timestamp displays in the SCIM Change Timestamp column for the Okta SCIM directory.
4. Select Actions Full Sync for the directory.
  
  The configuration is not complete until you have successfully completed a full sync for the entire directory.

Remove Google Directory

Configure a CIE Directory