To provide user, group, device, organizational unit, and container information for policy or event context, Palo Alto Networks cloud-based applications and services may need to access directory information. The Cloud Identity Engine collects attributes from your directory and stores them in a secure, cloud-based infrastructure that allows your Palo Alto Networks cloud-based applications and services to access the directory information.

When you configure an authentication type (either a client certificate or a SAML 2.0-based identity provider) in the Cloud Identity Engine, you can configure the Palo Alto Networks firewall to use that authentication type for user authentication in an Authentication policy rule. Configuring both user identification and user authentication using the Cloud Identity Engine provides a single-source identity solution that can adapt as your security needs change.