Learn About the Cloud Identity Engine
Table of Contents
Expand all | Collapse all
- Get Help
Learn About the Cloud Identity Engine
Learn about the components of the Cloud Identity Engine.
The Cloud Identity Engine provides both user identification
and user authentication for a centralized cloud-based solution in
on-premise, cloud-based, or hybrid network environments. The Cloud
Identity Engine allows you to write security policy based on users
and groups, not IP addresses, and helps secure your assets by enforcing
behavior-based security actions. It also provides the flexibility
to adapt to changing security needs and users by making it simpler
to configure an identity source or provider in a single unified
source of user identity, allowing scalability as needs change. By
continually syncing the information from your directories, whether
they are on-premise, cloud-based, or hybrid, ensures that your user
information is accurate and up to date and policy enforcement continues
based on the mappings even if the cloud identity provider is temporarily
unavailable.
To provide user, group, and computer information for policy or
event context, Palo Alto Networks cloud-based applications and services
need access to your directory information. The Cloud Identity Engine,
a secure cloud-based infrastructure, provides Palo Alto Networks
apps and services with read-only access to your directory information
for user visibility and policy enforcement. The components of the
Cloud Identity Engine deployment vary based on whether the Cloud Identity
Engine is accessing an on-premises directory (such as Active Directory)
or a cloud-based directory (such as Azure Active Directory).
The authentication component of the Cloud Identity Engine allows
you to configure a profile for a SAML 2.0-based identity provider
(IdP) that authenticates users by redirecting their access requests
through the IdP before granting access. You can also configure a
client certificate for user authentication. When you configure an
Authentication policy and the Authentication Portal on the Palo
Alto Networks firewall, users must log in with their credentials
before they can access the resource.
On-Premises Directory Configuration
To use the Cloud Identity Engine with an on-premises
Active Directory or OpenLDAP-based directory, you need:
- to install the Cloud Identity agent on a Windows server (the agent host) and configure it to connect to your on-premises directory and the Cloud Identity Engine.
- access to the Cloud Identity Engine app on the hub so you can manage your Cloud Identity Engine tenants and Cloud Identity agents.
To collect attributes from your on-premises directory, install the Cloud Identity agent
on an on-premises Windows server that meets the Cloud Identity Engine system
requirements. The agent collects the attributes initially
during tenant setup and
then once every five minutes (based on the system time on the agent
host), syncing them with the Cloud Identity Engine so that your
directory information is available to your Palo Alto Networks apps
and services.
To collect attributes from your on-premises directory and synchronize
them with the Cloud Identity Engine:
- The agent can use TLS 1.1, TLS 1.2, or TLS 1.3 to communicate with the Cloud Identity Engine to synchronize your attributes so that your directory information is available to your associated Cortex apps and services.
- The agent host can use TLS 1.1, TLS 1.2, or TLS 1.3 to communicate with the on-premises directory to collect the attributes.
We strongly recommend that you configure TLS 1.3 for all
Cloud Identity Engine traffic. Version 1.7.0 and later versions
of the agent use the latest TLS version by default.
To ensure secure transmission for the attributes, the data is
encrypted end-to-end during transmission to the Cloud Identity Engine
and on the agent host. The Cloud Identity Engine locally encrypts
all agent data and immediately removes the encrypted local data
after transmission is complete.
To set up the Cloud Identity Engine, you will need to log in
the Cloud Identity Engine app on the hub to generate a certificate
to Authenticate the Agent and the Cloud Identity Engine and configure
other aspects of the Cloud Identity Engine.
Cloud-Based Directory Configuration
To use the Cloud Identity Engine with a cloud-based
directory such as Azure Active Directory (Azure AD), you must grant
permission for the Cloud Identity Engine to access your directory
when you Configure a Cloud-Based Directory for the
Cloud Identity Engine. You do not need to install or configure a
Cloud Identity agent to collect attributes from a cloud-based directory.
User Authentication with Identity Providers
To authenticate users, configure a profile for a SAML
2.0-based identity provider (IdP) such as Google, Azure, Okta, PingOne,
or PingFederate in the Cloud Identity Engine. On the firewall, configure
an Authentication policy that requires users to log in using Authentication
Portal to access resources such as the internet. When the firewall
receives this type of request, it redirects the request to the Cloud
Identity Engine, which reroutes the request to the IdP you configure. After
the user logs in successfully, the firewall grants access to the
resource. The Cloud Identity Engine provides flexibility as a user
identity management solution by allowing you to configure multiple
types of IdPs and making it easier to scale them as needs change.
User Authentication with a Client Certificate
You can configure a client certificate using a certificate
authority (CA) chain in addition to SAML 2.0 authentication or as
an alternate method for user authentication. CIE supports grouping
multiple CA chains in a certificate type, which can be used to authenticate
client certificates issued by multiple CA chains.