>
    Strata Copilot
    Configure SCIM Connector for the Cloud Identity Engine
    Focus
    Download PDF
    Focus
    1. Home
    2. Identity
    3. Identify Users and Devices with Cloud Identity Engine
    4. Configure Directories for User Identification
    5. Configure a Cloud-Based Directory
    6. Configure SCIM Connector for the Cloud Identity Engine
    Download PDF
    Identity

    Configure SCIM Connector for the Cloud Identity Engine

    Table of Contents

    Configure SCIM Connector for the Cloud Identity Engine

    Where Can I Use This?What Do I Need?
    • NGFW
    • Prisma Access
    		The Cloud Identity Engine service is free; however, the enforcement points utilizing directory data may require specific licenses. Click here for more information.
    As part of the Cloud Identity Engine, Directory Sync connects to your directory to obtain user and group information for user identification and enforcement for group-based and user-based Security policy.
    Configuring the System for Cross-Domain Identity Management (SCIM) protocol for Directory Sync in the Cloud Identity Engine allows you to customize the attributes Directory Sync collects from your directory. You can add or remove attributes in your directory portal to customize which attributes you want to share with the Cloud Identity Engine for user and group identification.
    The SCIM gallery app does not support the userType attribute.
    Configuring your directory to use the SCIM Connector with the Cloud Identity Engine requires completing all necessary steps in both the Cloud Identity Engine and in the portal for your specific SCIM client. If you encounter any issues with the SCIM Connector setup, learn how to Troubleshoot Cloud Identity Engine Issues.
    1. Complete any predeployment steps for your SCIM client:
    2. Set up SCIM Connector in the Cloud Identity Engine app.
      1. Log in to the Cloud Identity Engine.
      2. Select Directory SyncDirectories, and then click Add New Directory.
      3. On the Set Up Directory page, select Cloud DirectorySet UpSCIM.
      4. Select a SCIM Client:
        • Entra ID
        • PingFederate
        • Okta
        • CyberArk
        • PingOne
        • SASE 5G
        • Others
    3. (Specific SCIM clients) In the portals for the following SCIM clients, obtain the directory details required to configure the SCIM Connector:
    4. On the Configure Directory Sync for SCIM page, enter the directory details, obtain the Base URL, and specify the Authorization Method.
      1. For Directory ID, enter the specified value from your directory portal or create a unique ID (maximum 40 alphanumeric characters, including hyphens):
        • For Entra ID, use the Tenant ID.
        • For Ping, use the System ID.
        • For Okta, use the Directory Name.
          For Okta, Palo Alto Networks recommends using the Directory Name, but you can enter any name.
        • For CyberArk, enter CyberArkSCIM or a similar ID.
        • For SASE 5G, use the Directory ID.
      2. For the Directory Name, enter the specified value from your directory portal or create a unique name (maximum 50 lowercase alphanumeric characters including periods, hyphens, and underscores):
        • For Entra ID, use the Primary Domain.
        • For Ping, use the User.
        • For Okta, use the Okta Domain.
        • For CyberArk, enter cyberarkdirectoryscim or a similar name.
        • For SASE 5G, use the Primary Domain Name.
      3. Copy the Base URL and save it in a secure location.
        You need this URL to configure provisioning settings in your directory portal.
      4. Click Generate Token, and then copy and save the Bearer Token in a secure location.
        You need to enter this token in the directory portal for your SCIM client.
        If you submit your changes in the Cloud Identity Engine before saving the token, you must generate a new token and enter the token in the directory portal.
      5. Click Submit.
        You must Submit the configuration in the Cloud Identity Engine before continuing the configuration in the IdP. After you finish the IdP configuration, return to the Cloud Identity Engine and complete a full sync of the entire directory to complete the process.
    5. Acknowledge the postconfiguration requirements.
      Select the check box, click OK, and then return to the portal for your SCIM client to complete the postconfiguration steps:
      After completing the steps in both the Cloud Identity Engine app and your directory portal, you can use the SCIM Connector to collect attributes from your directory.
      Next Steps:

    Configure Microsoft Entra ID for SCIM Connector

    Complete the required steps in the Microsoft Entra admin center to complete the SCIM Connector configuration. For more information, refer to the Microsoft Entra ID SCIM Connector documentation.
    1. Add the Palo Alto Networks SCIM Connector app to your Microsoft Entra tenant, and then obtain the necessary information to configure SCIM for Directory Sync.
      Microsoft Entra ID SCIM provisioning requires that the group attribute displayName is unique. If more than one group uses the displayName attribute, the initial sync isn't successful and the data for the duplicate group names might only be partially retrievable. If you don't use the duplicate groups in Security policy, then you can proceed. If you use the duplicate group names in Security policy, you must resolve the issue by modifying the displayName attribute in Microsoft Entra ID to ensure that it’s unique.
      1. Log in to the Microsoft Entra admin center.
      2. Select Overview (if not already selected), copy the Tenant ID, and save it in a secure location.
      3. Copy the Primary domain and save it in a secure location.
      4. Select ApplicationsEnterprise applications, and then click New application.
      5. In the Microsoft Entra gallery, Search for Palo Alto Networks SCIM Connector.
      6. Select Palo Alto Networks SCIM Connector, enter a Name, and then Create the application.
        If you encounter an error when creating the application, refer to Troubleshoot Cloud Identity Engine Issues.
      7. Return to the Cloud Identity Engine app to continue the SCIM Connector setup.
        You must complete the setup in the Cloud Identity Engine before you can successfully Test Connection in the Microsoft Entra admin center.
      8. After you submit the SCIM Connector configuration in the Cloud Identity Engine app, continue to the next step.
    2. Configure Microsoft Entra ID to use SCIM Connector to connect to the Cloud Identity Engine.
      1. Log in to the Microsoft Entra admin center.
      2. Select ApplicationsEnterprise applications, and then select the Palo Alto Networks SCIM Connector application.
      3. Select Provisioning, and then click Get Started.
      4. Set the Provisioning Mode to Automatic.
      5. In the Admin Credentials section, enter the information from steps 4.c and 4.d in the fields as indicated in the following table:
        Copy from Cloud Identity Engine Enter in Microsoft Entra admin center
        Base URLTenant URL
        Authorization Method Bearer tokenSecret Token
      6. Save your changes.
      7. (Optional but recommended) Click Test Connection to confirm that Microsoft Entra ID can communicate with the Cloud Identity Engine app.
        You must complete the setup in the Cloud Identity Engine before you can successfully Test Connection in the Microsoft Entra admin center.
    3. Manage the users, groups, and attributes that Microsoft Entra ID provisions to the Cloud Identity Engine app.
      If you choose to sync only specific groups and those groups contain subgroups, add the parent group first, then add any child groups. If you do not manually add the child groups of any parent groups, the Cloud Identity Engine syncs only the parent group. You do not need to manually add users as the Cloud Identity Engine sync users in groups, just any child groups of parent groups where you want to sync both groups.
      1. In the Microsoft Entra admin center, select ProvisioningEdit Provisioning.
      2. Select Mappings, and then select either Provision Microsoft Entra ID Groups or Provision Microsoft Entra ID Users.
        For optimal performance, Palo Alto Networks strongly recommends provisioning only the groups that you want to use the SCIM Connector. If you're using Prisma® Access with the Cloud Identity Engine, make sure that you provision any groups that you use in your Security policy to ensure it applies your Security policy correctly.
      3. Delete any attributes you do not want to provide to the Cloud Identity Engine app.
      4. (Optional) Click Add New Mapping to create a new attribute mapping.
      5. (Optional) In the Settings section, set Scope to Sync all users and groups.
        By default, the Cloud Identity Engine only synchronizes the users and groups you assign to this app (Sync only assigned users and groups) in the Microsoft Entra admin center.
      6. In the Settings section, set the Provisioning Status to On.
        This enables the Microsoft Entra provisioning service for Palo Alto Networks SCIM Connector.
      7. Save your changes.
    4. Allow Microsoft Entra ID to provide the information to the Cloud Identity Engine, and verify that the Cloud Identity Engine uses SCIM to obtain the Microsoft Entra ID information.
      1. In the Microsoft Entra admin center, verify you’ve completed all the provisioning steps in the Microsoft Entra ID SCIM Connector documentation.
      2. Select the name of the app that you configured in the first step, and then select ManageProvisioningStart Provisioning to begin providing attributes to the Cloud Identity Engine.
      3. Wait until the sync is complete (Initial cycle completed), and then View provisioning details.
      4. Verify that the synchronization was successful by confirming the timestamps (Completed and Steady state achieved) and verifying that the number of Users and Groups displays.
        If the number of users and groups does not display, refer to Troubleshoot Cloud Identity Engine Issues.
      5. In the Cloud Identity Engine app, verify that the SCIM Change Timestamp for your Entra ID SCIM directory populates on the Directories page.
      6. Select ActionsFull Sync to complete a full synchronization of Microsoft Entra ID users and groups with Directory Sync for the Cloud Identity Engine.
        You must successfully complete a full sync in the Cloud Identity Engine app to complete the SCIM Connector setup.

    Configure PingFederate for SCIM Connector

    Complete the following steps to configure the Cloud Identity Engine to use the SCIM Connector to connect to your PingFederate server. Be sure to complete all the steps in the PingFederate SCIM Connector documentation as well.
    1. Set up the directory for SCIM Connector.
      1. Log in to the PingFederate portal and select Data Stores then click Add New Data Store.
      2. Enter a Data Store Name and select Directory (LDAP) as the Type.
      3. Enter the Hostname(s) (including the port number).
      4. Enter a valid email address as the User DN.
      5. Click Test Connection to verify the connection is successful.
        If the connection test isn't successful, verify that the hostname and email address are valid. Some directories, such as PingDirectory, format the User DN as cn=administrator. In this case, select Use LDAPS and use a different port number, such as 1636, instead of the default port number of 389.
      6. Copy and edit the System ID then paste the edited value in the Cloud Identity Engine app as the Directory ID.
        You must edit the System ID to remove the LDAP- that precedes the Directory ID value before entering the value as the Directory ID in the Cloud Identity Engine app.
      7. Copy and edit the User value and edit the edited value in the Cloud Identity Engine app as the Directory Name.
        For the Directory Name, use the domain name that follows the username in the User column (for the example below, the Directory Name is the value after Administrator@).
    2. Provision the SCIM connection.
      1. Select SP ConnectionsCreate Connection.
      2. Select Do not use a template for this connection.
      3. Select Outbound provisioning.
      4. Select SCIM Connector.
        If the SCIM Connector option isn’t available, confirm that you completed all substeps in the previous step correctly.
      5. Select General Info and enter a Partner’s Entity ID (Connection ID) and a Connection Name.
      6. (Optional but recommended) To decrease the amount of time necessary for the initial sync, select Outbound ProvisioningConfigure ProvisioningManage ChannelsChannel ConfigurationChannel Info and increase the value for Max Threads.
        The range is recommended range is 1–5; for optimal sync time, Palo Alto Networks recommends 5 as the value for Max Threads.
    3. Specify the information from the Cloud Identity Engine for the SCIM connection provisioning.
      1. Select Outbound ProvisioningConfigure Provisioning.
      2. Select the SP Connections Target tab and enter the Base URL that you copied from the Cloud Identity Engine.
      3. Select ApplicationsSP ConnectionsSP ConnectionConfigure ChannelsManage Channels.
      4. Select OAuth 2 Bearer Token as the Authentication Method and enter the Bearer Token that you copied from the Cloud Identity Engine as the Access Token.
      5. Select Common Name as the Group Name Source.
      6. Select Use patch for group updates.
    4. Configure the channels for the SCIM connection.
      1. Select Configure Channels and Create a channel.
      2. Enter a Name for the channel and select the directory you want to configure in the Cloud Identity Engine as the Active Data Store.
      3. Select Source Location and enter the Base DN for your directory.
      4. Enter the Group DN for the source of the user and group mappings or create a filter that specifies which entries to use. For example, Group DN:CN=Chicago,OU=Illinois,DC=example,DC=com syncs all users and groups in the Chicago group.
      5. If you use a Group DN and your directory contains nested groups, select Nested Search.
        Retention of nested group hierarchies from PingFederate servers through the SCIM Connector isn’t available. If your directory contains nested groups and you want to sync all of the child users and groups, you must select the method you want to use to ensure the Cloud Identity Engine correctly collects all users and groups in the parent group.
        • Add the parent group as a member of a different group and use that container group as the Group DN. For example, configure the parent group in a directory with the name root in an OU with the name location and use the value CN=root,OU=location,DC=paloaltonetworks,DC=com for the Group DN.
        • Add a filter that includes all members of the parent group (for example, (objectClass=user),(objectClass=group) includes all users and groups in the Base DN DC=paloaltonetworks,DC=com).
      6. Select Attribute Mapping and Edit the userName* to userPrincipalName.
      7. Save the connection and continue the configuration in the Cloud Identity Engine.
    5. Complete the postdeployment steps to configure the PingFederate server for the SCIM Connector.
      1. Verify that you’ve completed all of the provisioning steps.
      2. In the PingFederate Portal, either commit a directory change or enter the following command: pingfederate/bin/provmgr.sh --reset-all -c [channel number] command.
        To determine the channel number, use the ./provmgr.sh --show-channels command.
      3. In the Cloud Identity Engine, verify the app populates the SCIM Change Timestamp then complete a full sync (ActionsFull Sync).

    Configure Okta Directory for SCIM Connector

    You must also complete the required steps in the Okta Administrator Dashboard to complete the SCIM Connector configuration. For more information, refer to the documentation for the Okta Directory.
    The SCIM Connector for Okta directory supports the following capabilities:
    • Create users
    • Update user attributes
    • Deactivate users
    • Import users
    • Import groups
    • Sync password
    • Group push
    1. Log in to your Okta Administrator Dashboard and add the integration using the Okta Integration Network.
      1. Log in to the Okta Administrator Dashboard, select Applications, and click Browse App Catalog.
      2. Enter Palo Alto Networks SCIM as the search query.
      3. Select the app and click Add Integration.
      4. Optionally change any settings, such as the Application Label, then click Done.
      5. Copy your Okta domain name.
    2. Configure the Okta integration to communicate with the Cloud Identity Engine.
      1. Select Provisioning.
      2. Click Configure API Integration.
      3. Select Enable API integration.
      4. Enter the URL you copied in step 4.c as the Base URL.
      5. Enter the token you copied in step 4.d as the API Token.
      6. Click Test API Credentials to verify the Okta Directory can successfully communicate with the Palo Alto Networks SCIM integration then click Save.
        If the test is not successful, verify that you successfully submitted your configuration in the Cloud Identity Engine app in step 4.e.
    3. Assign the Okta integration to the users you want to include in your Security policy.
      1. Edit the settings to assign Provisioning to App.
      2. Enable all the options and Save your changes.
      3. Select the Push Groups tab then click the Find Groups button to Find groups by name.
      4. Type the name of a group to Push groups by name.
      5. Select the group and Save your changes.
    4. Verify the configuration.
      1. In the Cloud Identity Engine app, select Directories and verify that the timestamp displays in the SCIM Change Timestamp column for the Okta SCIM directory.
      2. Select Actions Full Sync for the directory.
        The configuration isn’t complete until you’ve successfully completed a full sync for the entire directory.

    Configure a Custom Okta App Integration for SCIM Connector

    Palo Alto Networks strongly recommends using the Okta gallery app to Configure Okta Directory for SCIM Connector. If you want to use a custom Okta app integration, complete the following steps.
    1. Log in to your Okta Administrator Dashboard and Create an app integration.
      1. Select SAML 2.0 as the Sign-in method and click Next.
      2. Enter a unique App Name and optionally enter any other information (such as an App Logo or App Visibility) then click Next.
      3. Enter the Single-sign on URL where you want to redirect users to sign in and the Audience URI (SP Entity ID) then click Next.
      4. Select the option that best reflects your use of the SCIM Connector app integration and click Finish.
    2. Configure the Okta SCIM Connector app integration.
      1. Select General (if it is not already selected) and Edit the App Settings.
      2. Select SCIM as the Provisioning method and Save your changes.
    3. Configure provisioning for the Okta SCIM Connector app integration.
      1. Select Provisioning and Edit the SCIM Connection settings.
      2. Enter the Base URL you copied from the Cloud Identity Engine app in step 4.c as the SCIM connector base URL.
      3. Enter userName as the Unique identifier field for users.
      4. Select the Supported provisioning actions you want to use to allow users to authenticate.
      5. Select HTTP Header as the Authentication Mode.
      6. Enter the Bearer Token you copied from the Cloud Identity Engine app in step 4.d and Save your changes.
      7. Select Provisioning and Edit the settings.
      8. Select at least one of the options for Provisioning to App and Save your changes.
    4. Assign the users and groups that you want to use the Okta SCIM Connector app integration.
      1. Select AssignmentsAssignAssign to People to assign the users you want to use Okta SCIM.
      2. Select the users for whom you want to Assign this app.
      3. Review and edit the information as needed then click Save and Go Back.
      4. Verify the users you added display on the Assignments tab.
      5. Select Push Groups then Find groups by name to assign groups to this app.
      6. Select the group you want to assign to this app then click Save and add another. Repeat as needed until all the groups you want to assign to this app have been selected then click Save.
    5. Verify the configuration.
      1. Select Reports System Log.
      2. Verify that log results display to confirm that the SCIM Connector can successfully communicate with your directory. If no results populate, the SCIM Connector cannot communicate with your directory; verify the configuration and make any needed changes, then check the log results again.
        Verify that this step is complete before continuing to the next step. Until the log results display in the Okta Administrator Dashboard, a full sync cannot successfully complete for the directory in the Cloud Identity Engine app.
      3. In the Cloud Identity Engine app, select Directories and verify that the timestamp displays in the SCIM Change Timestamp column for the Okta SCIM directory.
      4. Select Actions Full Sync for the directory.
        The configuration is not complete until you have successfully completed a full sync for the entire directory.

    Configure SASE 5G for SCIM Connector

    To configure a Prisma SASE 5G to share directory attributes with the Cloud Identity Engine using the SCIM connector, complete the following steps.
    1. Create the Prisma SASE 5G configuration.
      For more information, refer to step 9 in the Prisma SASE 5G documentation.
      1. Select DirectoriesAdd New DirectoryCloud DirectorySet UpSCIM.
      2. Select SASE 5G as the Client Type.
      3. Enter the Directory ID of the SASE 5G directory.
      4. Enter the primary domain name of the SASE 5G directory as the Directory Name.
      5. Copy the Base URL and save it in a secure location.
      6. For the Authorization Method, click Generate Token.
      7. Copy the Bearer Token and store it in a secure location.
      8. Submit the configuration.
    2. Create the SCIM connector configuration for Prisma SASE 5G.
      1. On the Strata Multitenant Cloud Manager, select Manage5G Integrated SASEService ProviderTenantNameCIE Management. (where TenantName is the name of your tenant).
      2. Enter the CIE Directory Name.
        The directory name must match the primary domain name from step 1.d.
      3. Enter the bearer token from step 1.g as the CIE Token.
      4. Complete the remaining steps to add mobile user identities and identity groups as described in the Prisma SASE 5G documentation.
      5. Commit the changes.
    Next Steps:

    Configure CyberArk for SCIM Connector

    Enable SCIM provisioning and map CyberArk Identity portal roles to groups or roles defined in the Cloud Identity Engine.
    1. Log in to the CyberArk Identity Administration portal.
    2. Select Apps & WidgetsWeb Apps, and then click Add Web Apps.
    3. Search for Palo Alto Networks CIE.
    4. Add the application, and then click Yes to confirm.
    5. Configure general provisioning settings.
      1. On the sidebar, click Provisioning, and then Enable provisioning for this application.
      2. Click Yes to acknowledge the SCIM provisioning prompt.
      3. Select a provisioning mode:
        • Preview Mode (changes will not be committed)—Use this mode to test application provisioning or configuration changes. The identity platform performs a test run to show you the changes it would make but does not save the changes.
        • Live Mode—Use this to apply application provisioning to your production environment. The identity platform performs a provisioning run and saves the changes to both the identity platform and the application’s account information.
      4. For SCIM Service URL, enter the Base URL from the Cloud Identity Engine.
      5. For Authorization Type, select Authorization Header.
      6. For Header Type, select Bearer Token, and then enter the Bearer Token from the Cloud Identity Engine.
      7. To test the connection and save the provisioning details, click Verify.
        After CyberArk verifies the connection to the SCIM Connector, additional settings display.
    6. Define how CyberArk Identity handles automatic provisioning of accounts.
      CyberArk identifies duplicate accounts by matching attributes in the source directory to unique Cloud Identity Engine user attributes. This is typically the user's email address or the Active Directory userPrincipalName.
      Review the provisioning script for the Cloud Identity Engine to see the fields that CyberArk Identity uses to match user accounts.
      1. Configure Sync Options:
        • Sync (overwrite) users to target application when existing users are found with the same principal name—Updates account information in the Cloud Identity Engine. This includes removing data if the target account has a value for a user attribute that is not available from CyberArk Identity.
        • Do not sync (no overwrite) users to target application when existing users are found with the same principal name—Keeps the target user account as is; CyberArk Identity skips and does not update duplicate user accounts in the Cloud Identity Engine.
        • Do not de-provision (deactivate or delete) users in target application when the users are removed from mapped role—The user's account in the Cloud Identity Engine is not de-provisioned when a role membership change that would trigger a de-provisioning event occurs.
        • Sync groups from Active Directory to target application (this option overrides any destination group selection in Role Mappings)—Provisions groups and group members from the local directory to the Cloud Identity Engine. You may filter AD groups through the provisioning script using the reject function.
        • Sync roles from CyberArk Identity to target application—Provisions roles from CyberArk Identity to the Cloud Identity Engine. You can filter roles using the Role Filter.
      2. (Optional) Configure User Deprovisioning Options:
        • Disable user—Deactivates the user account in the Cloud Identity Engine but retains the account data.
        • Delete user—Deletes the user account and all its data in the Cloud Identity Engine.
        • Deprovision (deactivate or delete) users in this application when they are disabled in the source directory—If a user account is disabled in CyberArk Identity, CyberArk performs the specified deprovisioning action in the Cloud Identity Engine
    7. (Optional) Configure role mappings to define the users CyberArk provisions to the Cloud Identity Engine.
      CyberArk Identity runs a synchronization automatically whenever you update the provisioning role mapping. You can also run a preview synchronization or a real synchronization, if desired.
      To provision Active Directory user group membership, see Provision Active Directory Groups with SCIM.
      To learn the different ways that CyberArk Identity synchronizes provisioned accounts, see Synchronize provisioned accounts.
      1. In the Role Mappings section, click Add.
      2. Select a Role.
      3. Click Add, and then select a Destination Group or enter a new group name.
        A Destination Group named for the selected CyberArk role automatically populates in the list of groups available from the drop-down.
        • If you select that Destination Group, a group with that name is created in the Cloud Identity Engine.
        • If the Destination Group already exists in the Cloud Identity Engine, provisioned users that are members of the selected role are added as members of the existing Destination Group.
        • If you enter a new group name, the newly created Destination Group is also created in the Cloud Identity Engine.
      4. To save the role mappings and return to the Provisioning settings, click Done.
      5. Save the provisioning details.
    8. Synchronize provisioned accounts.
      1. Select SettingsUsersOutbound Provisioning.
      2. (Optional) Enter an Email address for report delivery.
      3. (Optional) Configure Reporting Options:
        A report is always sent if an error occurs during synchronization.
        • Send report on full sync—Select this option to receive a synchronization report even if no errors occur. If you clear this option, you receive a report only if errors occur.
        • Send report on individual sync—Select this option to receive a separate report for each synchronized user. Otherwise, CyberArk sends you a consolidated user report.
        • Include debug trace in the report—Select this option to receive more detailed information in your report. The additional details are intended for debugging purposes only.
      4. In the Synchronization section, for Provisioning Enabled Applications, select Palo Alto Networks CIE, and then click Start Sync.
        A message prompts you for confirmation.
      5. (Optional) To re-synchronize all objects instead of only changed objects, select bypass caching and re-sync all objects.
        Select this option if many users or objects such as groups, contacts, or resources were changed in the Cloud Identity Engine that manually re-syncing every object would be difficult. Bypassing caching and re-syncing all objects increases synchronization time.
      6. Click Yes to continue.
        A message informs you that the synchronization has begun.
      7. Click OK.

    © 2026 Palo Alto Networks, Inc. All rights reserved.