Focus

Cloud Identity Engine Release Notes

New Features Introduced in November 2025

Table of Contents

New Features Introduced in November 2025

Find out more about the features introduced in the November 2025 release of the Cloud Identity Engine, including support for IP-tag information sharing with Strata Cloud Manager.

The following table provides a snapshot of new features introduced for the Cloud Identity Engine app in November 2025. Refer to the Cloud Identity Engine documentation for more information on how to use the Cloud Identity Engine.

Feature	Description
SSF Receiver with Okta	If there is a possibility of compromise for user credentials in your network, attackers can gain access to your network resources because the firewall can’t detect that the account has been compromised. The Cloud Identity Engine (CIE) Security Signal Framework (SSF) Receiver enables you to receive risk signals from third-party identity providers such as Okta and use these signals in risk-based security rules on your next-generation firewalls and Prisma® Access. By configuring the SSF Receiver, you can detect events such as session revocation or credential changes, and then automatically take security actions like terminating sessions or enforcing multi-factor authentication. When you configure SSF Okta Receiver as a Risk Connection, CIE automatically receives risk signals that you implement into your Conditional Dynamic User Groups (CDUGs). These groups can then be used in firewall security rules to implement adaptive access controls. For example, when Okta detects that a user's session has been revoked, you can automatically terminate their active network sessions or require additional authentication. You can monitor stream health and activity using the Cloud Identity Engine, where you can view the status of connections, check event logs, and troubleshoot any issues that might arise. The Cloud Identity Engine provides clear error messages and remediation steps when problems occur with SSF streams, ensuring you can quickly address any connectivity issues. As your security needs evolve, you can modify or delete streams; the system warns you about changes with potential impacts to existing security policy rules. The CIE SSF Receiver feature strengthens your security posture by adding real-time identity risk context to your security rules, enabling you to automatically respond to potential account compromises before attackers can exploit them. This integration between your identity providers and network security controls creates a more comprehensive and responsive security environment that adapts to changing risk conditions.

Feature

Description

SSF Receiver with Okta

If there is a possibility of compromise for user credentials in your network, attackers can gain access to your network resources because the firewall can’t detect that the account has been compromised. The Cloud Identity Engine (CIE) Security Signal Framework (SSF) Receiver enables you to receive risk signals from third-party identity providers such as Okta and use these signals in risk-based security rules on your next-generation firewalls and Prisma® Access. By configuring the SSF Receiver, you can detect events such as session revocation or credential changes, and then automatically take security actions like terminating sessions or enforcing multi-factor authentication.

When you configure SSF Okta Receiver as a Risk Connection, CIE automatically receives risk signals that you implement into your Conditional Dynamic User Groups (CDUGs). These groups can then be used in firewall security rules to implement adaptive access controls. For example, when Okta detects that a user's session has been revoked, you can automatically terminate their active network sessions or require additional authentication.

You can monitor stream health and activity using the Cloud Identity Engine, where you can view the status of connections, check event logs, and troubleshoot any issues that might arise. The Cloud Identity Engine provides clear error messages and remediation steps when problems occur with SSF streams, ensuring you can quickly address any connectivity issues. As your security needs evolve, you can modify or delete streams; the system warns you about changes with potential impacts to existing security policy rules.

The CIE SSF Receiver feature strengthens your security posture by adding real-time identity risk context to your security rules, enabling you to automatically respond to potential account compromises before attackers can exploit them. This integration between your identity providers and network security controls creates a more comprehensive and responsive security environment that adapts to changing risk conditions.

Changes to Default Behavior

New Features Introduced in October 2025