Learn About the Cloud Identity Engine

Learn about the components of the Cloud Identity Engine.
The Cloud Identity Engine provides both user identification and user authentication for a centralized cloud-based solution in on-premise, cloud-based, or hybrid network environments. The Cloud Identity Engine allows you to write security policy based on users and groups, not IP addresses, and helps secure your assets by enforcing behavior-based security actions. It also provides the flexibility to adapt to changing security needs and users by making it simpler to configure an identity source or provider in a single unified source of user identity, allowing scalability as needs change. By continually syncing the information from your directories, whether they are on-premise, cloud-based, or hybrid, ensures that your user information is accurate and up to date and policy enforcement continues based on the mappings even if the cloud identity provider is temporarily unavailable.
To provide user, group, and computer information for policy or event context, Palo Alto Networks cloud-based applications and services need access to your directory information. The Cloud Identity Engine, a secure cloud-based infrastructure, provides Palo Alto Networks apps and services with read-only access to your directory information for user visibility and policy enforcement. The components of the Cloud Identity Engine deployment vary based on whether the Cloud Identity Engine is accessing an on-premises directory (Active Directory) or a cloud-based directory (Azure Active Directory).
The authentication component of the Cloud Identity Engine allows you to configure a profile for a SAML 2.0-based identity provider (IdP) that authenticates users by redirecting their access requests through the IdP before granting access. When you configure an Authentication policy and the Authentication Portal on the Palo Alto Networks firewall, users must log in with their credentials before they can access the resource.

On-Premises Directory Configuration

To use the Cloud Identity Engine with an on-premises Active Directory, you need:
  • to install the Cloud Identity agent on a Windows server (the agent host) and configure it to connect to your Active Directory and the Cloud Identity Engine.
  • access to the Cloud Identity Engine app on the hub so you can manage your Cloud Identity Engine instances and Cloud Identity agents.
To collect attributes from your Active Directory, install the Cloud Identity agent on an on-premises Windows server that meets the Cloud Identity Engine system requirements. The agent collects the attributes initially during instance setup and then once every five minutes (based on the system time on the agent host), syncing them with the Cloud Identity Engine so that your directory information is available to your Palo Alto Networks apps and services.
To collect attributes from your Active Directory and synchronize them with the Cloud Identity Engine:
  • The agent can use TLS 1.1, TLS 1.2, or TLS 1.3 to communicate with the Cloud Identity Engine to synchronize your attributes so that your directory information is available to your associated Cortex apps and services.
  • The agent host can use TLS 1.1, TLS 1.2, or TLS 1.3 to communicate with the Active Directory to collect the attributes.
We strongly recommend that you configure TLS 1.3 for all Cloud Identity Engine traffic. The latest version (1.7.0) of the agent uses the latest TLS version by default.
To ensure secure transmission for the attributes, the data is encrypted end-to-end during transmission to the Cloud Identity Engine and on the agent host. The Cloud Identity Engine locally encrypts all agent data and immediately removes the encrypted local data after transmission is complete.
To set up the Cloud Identity Engine, you will need to log in the Cloud Identity Engine app on the hub to generate a certificate to Authenticate the Agent and the Cloud Identity Engine, Associate the Cloud Identity Engine with Palo Alto Networks Apps to select which apps can use your directory information, and configure other aspects of the Cloud Identity Engine.

Cloud-Based Directory Configuration

To use the Cloud Identity Engine with Azure Active Directory (Azure AD), you must grant permission for the Cloud Identity Engine to access your directory when you Configure Azure Active Directory for the Cloud Identity Engine. You do not need to install or configure a Cloud Identity agent to collect attributes from a cloud-based directory. After you configure your cloud-based directory, you can Associate the Cloud Identity Engine with Palo Alto Networks Apps.

User Authentication with Identity Providers

To authenticate users, configure a profile for a SAML 2.0-based identity provider (IdP) such as Google, Azure, Okta, PingOne, or PingFederate in the Cloud Identity Engine. On the firewall, configure an Authentication policy that requires users to log in using Authentication Portal to access resources such as the internet. When the firewall receives this type of request, it redirects the request to the Cloud Identity Engine, which reroutes the request to the IdP you configure. After the user logs in successfully, the firewall grants access to the resource. The Cloud Identity Engine provides flexibility as a user identity management solution by allowing you to configure multiple types of IdPs and making it easier to scale them as needs change.

Recommended For You