The Cloud Identity Engine now supports access in the Saudi Arabia (SA) region for customers who must store the data that the Cloud Identity Engine synchronizes from their directories in that region to ensure compliance with their local data regulation requirements.

For more information on regions, refer to Regional Data Storage Requirements in the Cloud Identity Engine System Requirements.

For more information on how the Cloud Identity Engine manages the data you allow it to access, including transfer, retention, and security, refer to the Cloud Identity Engine Solution Brief or the Cloud Identity Engine Privacy Datasheet.

If you use the Cloud Identity Engine as a mapping source for your Palo Alto Networks firewall, you can now configure the Cloud Identity Engine to collect information from a subdomain for an Okta cloud-based directory. This capability allows you to retrieve information for groups from a subdomain as well as the primary domain for the Okta cloud-based directory for group mapping.

After you enter the CLI command on the firewall to enable detection of the subdomain by the Cloud Identity Engine, when the firewall detects a mapping from a subdomain with a configured primary domain, the firewall stores the mapping for the subdomain in addition to the mapping for the primary domain so that it can apply the group-based security policy consistently across your network. This capability is not enabled by default. You can also optionally disable detection and collection of information from subdomains.

After you enter the CLI command on the firewall and configure the subdomain, the group member information is available in the Cloud Identity Engine. This allows you to create and enforce group-based policy for subdomains within your Okta directory, enabling new deployment options and capabilities for using the Cloud Identity Engine with other Palo Alto Networks applications and devices.