Identity
Authenticate the Agent and the Cloud Identity Engine
Table of Contents
Authenticate the Agent and the Cloud Identity Engine
Generate certificates to authenticate communication between
the Cloud Identity agent and the Cloud Identity Engine.
| Where Can I Use This? | What Do I Need? |
|---|---|
| The Cloud Identity Engine service is free; however, the enforcement points utilizing directory data may require specific licenses. Click here for more information. |
The Cloud Identity Engine and the Cloud Identity
agent use a certificate for mutual authentication (i.e., the agent
authenticates the service and the service authenticates the agent)
over Transport Layer Security (TLS). If the certificate is valid,
the agent connects to the Cloud Identity Engine. If the certificate
is not valid, the Cloud Identity Engine rejects the connection.
To
authenticate the Cloud Identity Engine and the Cloud Identity agent,
generate a Cloud Identity Engine certificate using the Cloud Identity
Engine app and import it to the Local Computer certificate store
on the Windows server that hosts the agent. Each certificate expires
three months from the issuance date. The Cloud Identity agent version
1.5.0 and later versions automatically renews the certificate before
it expires.
Each agent must use a unique certificate to authenticate
with the service. Only use the certificate for the agent in the
selected tenant. Generate certificates on an as-needed basis and
do not use the certificate for other services or share them between
agents. You can generate up to 5 unused certificates and up to 100
total certificates per tenant. You can only use the certificate
for the specified tenant and you can only associate the certificate
with one agent.
- Enter a unique Certificate Name.The name must be between 5 and 128 alphanumeric characters.Enter a secure password in the Create Password and Re-enter Password fields.The password must be between 12 to 25 characters. You will need to enter this password when you install the certificate on the agent host.Click Download Certificate.
![]()
Store the certificate in the Local Computer Personal certificate store on the agent host.For more information on how to store certificates, see the following link.After the agent authenticates with the Cloud Identity Engine, it provides the directory attributes to the service. The service then shares the attributes with the apps that you with the Cloud Identity Engine for visibility and policy enforcement. For more information, refer to Manage Cloud Identity Engine Certificates.Next Steps
- Use the Cloud Identity Engine app to create, view, delete, rename, or synchronize tenants and to view or customize the attributes that the Cloud Identity Engine collects.
- Learn how to manage the Cloud Identity agent by logging agent events, managing the certificates that the agent uses, starting or stopping the agent’s connection to the Cloud Identity Engine, and updating or removing the agent.
