The Cloud IP-Tag Connection feature has been given numerous improvements to expand capabilities and simplify usability for this security policy enforcement method, including the following:

These enhancements help expand the deployment possibilities for the Cloud IP-Tag Connection in your network even further, helping to ensure your mappings remain up to date for consistent security policy enforcement.

Adhering to zero trust policies requires that your security policies are based not just on the IP address of the user but also the username, known as user-based security policy. To enforce user-based security policy, enforcement points (such as firewalls or Prisma Access) require access to up-to-date username-to-IP address mappings. The Cloud Identity Engine collects attributes from your directory to establish these mappings during synchronization (also known as a “sync”). To minimize the data that the Cloud Identity Engine collects from your directory and reduce sync time, you can now specify which groups you want the Cloud Identity Engine to sync.

By specifying the attributes (either name, unique identifier, or both) that you want to use to define the Azure Active Directory groups that the Cloud Identity Engine syncs, you can now sync the information from your directory more quickly and more frequently than would be possible using the SCIM Connector while still limiting group data collection. Updates using the SCIM Connector are limited to once every 40 minutes, but by filtering groups, you can update your directory information as frequently as every five minutes.

You can optionally add an operand to filter groups based on multiple attributes, allowing you even more fine-grained filtering to select only the groups that you need to sync to enforce policy.

By ensuring that you collect only the groups that are applicable to your policy, you can minimize the time necessary to sync your data.

This capability means that your enforcement points can receive more frequent updates for the mappings they use to enforce your user-based security policy, ensuring consistent application of your security policy rules.

You can now configure the metadata for a SAML 2.0-based authentication type in the Cloud Identity Engine at a later time by selecting the “Do It Later” option. This option allows you to configure and submit the authentication type without specifying the metadata for your SAML 2.0-based identity provider (IdP).

For example, if your organization requires you to submit a ticket to obtain metadata, or if you need to obtain the metadata from your IdP, the “Do It Later” option enables you to configure the authentication type and submit the changes without requiring metadata from your IdP so that you can complete creation of the authentication type later without having to recreate the authentication type later.

Once you have the necessary metadata for your IdP, edit the configuration to select the method you want to use to provide the IdP metadata, add the metadata, test the connection to verify that the Cloud Identity Engine can access data from the IdP, and submit the updated configuration. The authentication type is not enabled until you edit the configuration and add the metadata.

The “Do It Later” option allows you more flexibility when deploying an authentication type so that you can enter the IdP information you have available and then easily update your configuration later when you have the required metadata to complete the configuration. By providing more options for you to configure your authentication types, the Cloud Identity Engine provides more ways to simplify your deployment, providing you even more freedom to configure the authentication type at your own pace.