Learn About the Cloud Identity Engine
Table of Contents
Expand all | Collapse all
- Get Help
Learn About the Cloud Identity Engine
Learn about the components of the Cloud Identity Engine.
The Cloud Identity Engine provides both user identification and user authentication for a
centralized cloud-based solution in on-premise, cloud-based, or hybrid network
environments. The Cloud Identity Engine allows you to write security policy based on
users and groups, not IP addresses, and helps secure your assets by enforcing
behavior-based security actions.
It also provides the flexibility to adapt to changing security needs and users by making
it simpler to configure an identity source or provider in a single unified source of
user identity, allowing scalability as needs change.
By continually syncing the information from your directories, whether they are
on-premise, cloud-based, or hybrid, ensures that your user information is accurate and
up to date and policy enforcement continues based on the mappings even if the cloud
identity provider is temporarily unavailable.
To provide user, group, and computer information for policy or event context, Palo Alto Networks
cloud-based applications and services need access to your directory information. The
Cloud Identity Engine, a secure cloud-based infrastructure, provides Palo Alto Networks
apps and services with read-only access to your directory information for user
visibility and policy enforcement.
The components of the Cloud Identity Engine deployment vary based on whether the Cloud
Identity Engine is accessing an on-premises directory (such as Active Directory) or a
cloud-based directory (such as Azure Active Directory).
The authentication component of the Cloud Identity Engine allows you to configure a profile for a
SAML 2.0-compliant identity provider (IdP) that authenticates users by redirecting their
access requests through the IdP before granting access. You can also configure a client
certificate for user authentication. When you configure an Authentication policy and the
Authentication Portal on the Palo Alto Networks firewall, users must log in with their
credentials before they can access the resource.
On-Premises Directory Configuration
To use the Cloud Identity Engine with an on-premises
Active Directory or OpenLDAP-based directory, you need:
- to install the Cloud Identity agent on a Windows server (the agent host) and configure it to connect to your on-premises directory and the Cloud Identity Engine.
- access to the Cloud Identity Engine app on the hub so you can manage your Cloud Identity Engine tenants and Cloud Identity agents.
To collect attributes from your on-premises directory, install the Cloud Identity agent on an
on-premises Windows server that meets the Cloud Identity Engine system requirements.
The agent collects the attributes initially during tenant setup and then once
every five minutes (based on the system time on the agent host) if a sync is not
already in progress, syncing them with the Cloud Identity Engine so that your
directory information is available to your Palo Alto Networks apps and services.
To collect attributes from your on-premises directory and synchronize
them with the Cloud Identity Engine:
- The agent can use TLS 1.1, TLS 1.2, or TLS 1.3 to communicate with the Cloud Identity Engine to synchronize your attributes so that your directory information is available to your associated Cortex apps and services.
- The agent host can use TLS 1.1, TLS 1.2, or TLS 1.3 to communicate with the on-premises directory to collect the attributes.
We strongly recommend that you configure TLS 1.3 for all
Cloud Identity Engine traffic. Version 1.7.0 and later versions
of the agent use the latest TLS version by default.
To ensure secure transmission for the attributes, the data is
encrypted end-to-end during transmission to the Cloud Identity Engine
and on the agent host. The Cloud Identity Engine locally encrypts
all agent data and immediately removes the encrypted local data
after transmission is complete.
To set up the Cloud Identity Engine, you will need to log in
the Cloud Identity Engine app on the hub to generate a certificate
to Authenticate the Agent and the Cloud Identity Engine and configure
other aspects of the Cloud Identity Engine.
Cloud-Based Directory Configuration
To use the Cloud Identity Engine with a cloud-based
directory such as Azure Active Directory (Azure AD), you must grant
permission for the Cloud Identity Engine to access your directory
when you Configure a Cloud-Based Directory for the
Cloud Identity Engine. You do not need to install or configure a
Cloud Identity agent to collect attributes from a cloud-based directory.
User Authentication with Identity Providers
To authenticate users, configure a profile for a SAML 2.0-compliant identity provider (IdP) such
as Google, Azure, Okta, PingOne, or PingFederate in the Cloud Identity Engine.
On the firewall, configure an Authentication policy that requires users to log in
using Authentication Portal to access resources such as the internet. When the
firewall receives this type of request, it redirects the request to the Cloud
Identity Engine, which reroutes the request to the IdP you configure.
After the user logs in successfully, the firewall grants access to the resource. The
Cloud Identity Engine provides flexibility as a user identity management solution by
allowing you to configure multiple types of IdPs and making it easier to scale them
as needs change.
User Authentication with a Client Certificate
You can configure a client certificate using a certificate
authority (CA) chain in addition to SAML 2.0 authentication or as
an alternate method for user authentication. CIE supports grouping
multiple CA chains in a certificate type, which can be used to authenticate
client certificates issued by multiple CA chains.