: New Features Introduced in August 2024
Focus
Focus

New Features Introduced in August 2024

Table of Contents

New Features Introduced in August 2024

Read more about the new features introduced for the Cloud Identity Engine in August 2024, including support for authentication using OpenID Connect (OIDC).
The following table provides a snapshot of new features introduced for the Cloud Identity Engine app in August 2024. Refer to the Cloud Identity Engine documentation for more information on how to use the Cloud Identity Engine.
FeatureDescription
Support for South Korea (KR) Region
The Cloud Identity Engine now supports access in the South Korea (KR) region for customers who must store the data that the Cloud Identity Engine synchronizes from their directories in that region to ensure compliance with their local data regulation requirements.
To maintain compatibility, your Cloud Identity Engine region must be the same as the region you configure in any associated Palo Alto Network apps or other app integrations.
For more information on regions, refer to Regional Data Storage Requirements in the Cloud Identity Engine System Requirements.
For more information on how the Cloud Identity Engine manages the data you allow it to access, including transfer, retention, and security, refer to the Cloud Identity Engine Solution Brief or the Cloud Identity Engine Privacy Datasheet.
Security Risk support for SentinelOne
The Cloud Identity Engine now supports Security Risk, a unified framework designed by Palo Alto Networks to allow you to more easily detect, investigate, and manage risky users and devices within your network. With so many sources of risk information, it can be difficult and time-consuming to manage, interpret, and address these potential security threats. Security Risk for the Cloud Identity Engine makes it easier to not only collect but also to analyze and control sources of high-risk users and devices by providing adaptive access control for users and devices.
By configuring an Azure directory to collect user risk information in the Cloud Identity Engine, you can now create groups of users who have exhibited risky behavior based on dynamic risk information. You can also optionally configure a SentinelOne Endpoint Detection and Response (EDR) agent to provide information on risk signals from devices in your network and add devices to your quarantine list.
Security Risk automatically enforces access restrictions by moving users or devices that exhibit risky behavior into custom, administrator-created groups. After risk remediation, when the users or devices no longer meet the risk criteria you define, Security Risk removes them from the group so the user can once again access resources, enabling closed loop automation and simplifying user management.
By using telemetry and risk score information from the risk information sources you configure, Security Risk for the Cloud Identity Engine provides simplified management for your risk sources.
Support for OpenID Connect (OIDC) Authentication Type
The Cloud Identity Engine now supports OpenID Connect (OIDC) as an authentication type for:
  • Azure Active Directory
  • Okta
  • PingOne
  • Google
OpenID Connect (OIDC) provides additional flexibility for your Cloud Identity Engine deployment. By supporting single sign-on (SSO) across multiple applications, OIDC simplifies authentication for users, allowing them to log in once with the OIDC provider to access multiple resources without needing to log in repeatedly.
When you configure OIDC as your authentication type, the Cloud Identity Engine uses OIDC to communicate with your IdP and collect attributes for Security policy enforcement. Enabling OIDC authentication for the Cloud Identity Engine improves the authentication experience for users, since they won't need to reauthenticate as many times to access resources.
Enhancements for IP-Tag Connection
Multiple improvements are now available for the IP-Tag Connection capability, including:
  • For your IP address-to-tag mappings, you can now request a Full Sync to immediately collect all mappings.
  • For AWS connection types, additional Cloud Formation Template (AFT) options are now available.
  • For Google connection types, you can now optionally select your region before testing the connection.