Cloud Identity Engine Getting Started
    : Configure an OIDC Authentication Type
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud Identity
    3. Cloud Identity Engine Getting Started
    4. Authenticate Users with the Cloud Identity Engine
    5. Configure an OIDC Authentication Type
    Download PDF

    Cloud Identity Engine Getting Started

    Configure an OIDC Authentication Type

    Table of Contents

    Configure an OIDC Authentication Type

    Learn how to configure OpenID Connect (OIDC) as an authentication type for the Cloud Identity Engine.
    OpenID Connect (OIDC) provides additional flexibility for your Cloud Identity Engine deployment. By supporting single-sign on (SSO) across multiple applications, OIDC simplifies authentication for users, allowing them to log in once with the OIDC provider to access multiple resources without needing to log in repeatedly.
    The OIDC authentication type supports the Prisma Access Browser. It does not support GlobalProtect or Authentication Portal.
    To configure an OpenID Connect (OIDC) provider as an authentication type in the Cloud Identity Engine, complete the following steps for your identity provider (IdP) type.
    When you configure OIDC as an authentication type, the Cloud Identity Engine determines the username attribute using the following order (where if the current attribute is not found, the Cloud Identity Engine attempts to match using the next attribute in the list):
    1. email
    2. preferred_username
    3. username
    4. sub

    Configure OIDC for Azure

    1. Set up OIDC as an authentication type in the Cloud Identity Engine.
      1. Select
        Authentication
        Authentication Types
        Add New Authentication Type
        .
      2. Set Up
         the OIDC authentication type.
      3. Enter a unique and descriptive
        Authentication Type Name
         for your OIDC configuration.
      4. Copy the
        Callback URL/ Redirect URL
        .
    2. Configure Azure to use OIDC with the Cloud Identity Engine.
      1. Log in to the Azure account you want to use to connect to the Cloud Identity Engine.
      2. Click
        App registration
        .
      3. Click
        New registration
        .
      4. Enter a
        Name
         for the application.
      5. Select
        Accounts in this organizational directory only
        .
      6. For the
        Redirect URI
        , enter the domain for your Cloud Identity Engine instance and append
        oidc/callback
      7. Click
        Register
         to submit the configuration.
      8. Click
        Add user/group
         and add the users or groups you want to be able to configure OIDC as an authentication type (for example, service accounts).
    3. Obtain the information you need to complete your OIDC Azure configuration.
      1. Select the application you just created then click
        Overview
        .
      2. Copy the
        Display name
         and
        Application (client) ID
         and save them in a secure location.
      3. Click
        Add a certificate or secret
        .
        Do not allow the client secret to expire. If the client secret is not up to date, users cannot log in using OIDC.
      4. Select
        Client secrets
         then click
        New client secret
        .
        Do not allow the client secret to expire. If the client secret is not up to date, users cannot log in using OIDC.
      5. Select when the secret
        Expires
         then click
        Add
        .
        Do not allow the client secret to expire. If the client secret is not up to date, users cannot log in using OIDC.
      6. Copy
         the
        Value
         of the client secret and save them in a secure location.
        Because the secret displays only once, be sure to copy the information before closing or leaving the page. Otherwise, you must create a new secret.
        Do not allow the client secret to expire. If the client secret is not up to date, users cannot log in using OIDC.
      7. (Optional) Select
        Overview
        Endpoints
         and
        Copy
         the
        OpenID Connect metadata document
         up to
        /2.0
         (the
        well-known/openid-configuration
         section of the URL isn't necessary).
    4. Complete and submit the OIDC configuration.
      1. Enter the
        Display name
         you copied from Azure in step 3.2 as the
        Client Name
        .
      2. Enter the
        Client ID
         you copied from Azure in step 3.6.
      3. Enter the
        Value
         you copied from Azure in step 3.7 as the
        Client Secret
        .
      4. Enter
        https://login.microsoftonline.com/organizations/2.0/
         as the
        Issuer URL
        .
      5. (Optional) Enter the
        Endpoint URL
         you copied in step 3.7.
      6. Click
        Test Connection
         and log in to confirm that the Cloud Identity Engine can reach your Azure IdP using OIDC.
        If you did not enter the OIDC Issuer URL in the previous step, the Cloud Identity Engine automatically populates the information.
      7. After confirming that the connection is successful,
        Submit
         the configuration.
        You can now use OIDC as an authentication type when you Set Up an Authentication Profile.

    Configure OIDC for Okta

    1. Set up OIDC as an authentication type in the Cloud Identity Engine.
      1. Select
        Authentication
        Authentication Types
        Add New Authentication Type
        .
      2. Set Up
         the OIDC authentication type.
      3. Enter a unique and descriptive
        Authentication Type Name
         for your OIDC configuration.
      4. Copy the
        Callback URL/ Redirect URL
        .
    2. Configure Okta to use OIDC with the Cloud Identity Engine.
      1. Sign in
         to Okta.
      2. Select
        Applications
        Applications
        .
      3. Click
        Create App Integration
        .
      4. Select
        OIDC - OpenID Connect
         as the
        Sign-in method
         and
        Web Application
         as the
        Application Type
         then click
        Next
        .
      5. Enter an
        App integration name
        .
      6. Click
        Add URI
         and enter the information you copied in step 1.4.
      7. Select the
        Controlled Access
         you want to allow then click
        Save
        .
    3. Obtain the information you need to complete your OIDC Okta configuration.
      1. Copy
         the
        Client ID
        .
      2. Copy
         the
        Secret
        .
        The secret for Okta does not expire.
    4. Complete and submit the OIDC configuration.
      1. Enter the
        App integration name
         you entered in Okta in step 2.5 as the
        Client Name
        .
      2. Enter the
        Client ID
         you copied from Okta in step 3.1.
      3. Enter the
        Secret
         you copied from Okta in step 3.2 as the
        Client Secret
        .
      4. Enter the domain name URL for your Okta IdP as the
        Issuer URL
        .
      5. (Optional) If you have your
        Endpoint URL
        , enter it here. If not, continue to the next step (the Cloud Identity Engine populates the
        Endpoint URL
         automatically after you successfully test the connection).
      6. Click
        Test Connection
         and log in to confirm that the Cloud Identity Engine can reach your Okta IdP using OIDC.
        If you did not enter the OIDC Issuer URL in the previous step, the Cloud Identity Engine automatically populates the information.
      7. After confirming that the connection is successful,
        Submit
         the configuration.
        You can now use OIDC as an authentication type when you Set Up an Authentication Profile.

    Configure OIDC for PingOne

    1. Set up OIDC as an authentication type in the Cloud Identity Engine.
      1. Select
        Authentication
        Authentication Types
        Add New Authentication Type
        .
      2. Set Up
         the OIDC authentication type.
      3. Enter a unique and descriptive
        Authentication Type Name
         for your OIDC configuration.
      4. Copy the
        Callback URL/ Redirect URL
        .
    2. Configure PingOne to use OIDC with the Cloud Identity Engine.
      1. Sign On
         to your PingOne account.
      2. Select
        Applications
        .
      3. Select
        OIDC
         then click
        Add Application
        .
      4. Select
        Web App
         then click
        Next
        .
      5. Enter an
        Application Name
        , a
        Short Description
         for the app, and select the app
        Category
        , then click
        Next
        .
    3. Continue the OIDC Okta configuration.
      1. Click
        Add Secret
         then click
        Next
        .
      2. Enter the
        Start SSO URL
         and the
        Redirect URIs
         then click
        Next
        .
      3. Click
        Next
        .
        No configuration changes are necessary for this step.
      4. Add all the scopes in the
        List of Scopes
         to the
        Connected Scopes
         then click
        Next
        .
      5. Select
        Email (Work)
         as the
        sub
         attribute then click
        Next
        .
      6. Select all the
        Available Groups
         and add them to the
        Added Groups
         then click
        Done
        .
    4. Obtain the information you need to complete your OIDC PingOne configuration and enter it in your Cloud Identity Engine configuration.
      1. Copy the following information from your configuration and save it in a secure location:
        • The
          Application Name
           you entered in step 2.5.
        • The
          Client ID
           and
          Client Secrets
           you added in step 3.1.
          Do not allow the client secret to expire. If the client secret is not up to date, users cannot log in using OIDC.
        • The
          Issuer
           URL (as shown below).
      2. Enter the
        Application Name
         you entered in PingOne in step 2.5 as the
        Client Name
        .
      3. Enter the
        Client ID
         you created in PingOne in step 3.1.
      4. Enter the
        Client Secrets
         you created in PingOne in step 3.1 as the
        Client Secret
        .
      5. Enter the
        Issuer
         URL for your PingOne IdP that you copied in step 4.1 as the
        Issuer URL
        .
      6. (Optional) If you have your
        Endpoint URL
        , enter it here. If not, continue to the next step (the Cloud Identity Engine populates the
        Endpoint URL
         automatically after you successfully test the connection).
      7. Click
        Test Connection
         and log in to confirm that the Cloud Identity Engine can reach your PingOne IdP using OIDC.
        If you did not enter the OIDC Issuer URL in the previous step, the Cloud Identity Engine automatically populates the information.
      8. After confirming that the connection is successful,
        Submit
         the configuration.
        You can now use OIDC as an authentication type when you Set Up an Authentication Profile.

    Configure OIDC for Google

    1. Set up OIDC as an authentication type in the Cloud Identity Engine.
      1. Select
        Authentication
        Authentication Types
        Add New Authentication Type
        .
      2. Set Up
         the OIDC authentication type.
      3. Enter a unique and descriptive
        Authentication Type Name
         for your OIDC configuration.
      4. Copy the
        Callback URL/ Redirect URL
        .
    2. Configure Google to use OIDC with the Cloud Identity Engine.
      1. Select your account and
        Enter your password
         then click
        Next
        .
      2. Create a new project or select an existing project.
      3. Enable the
        Identity and Access Management (IAM)
         API (if it's not already enabled).
      4. Select
        APIs & Services
        OAuth consent screen
         then configure the OAuth consent screen.
      5. Create your OAuth 2.0 credentials, copy the
        Client ID
         and
        Client Secret
        , and store them in a secure location.
        Do not allow the client secret to expire. If the client secret is not up to date, users cannot log in using OIDC.
    3. Obtain the information you need to complete your OIDC Google configuration and enter it in your Cloud Identity Engine configuration.
      1. Copy the following information from your configuration and save it in a secure location:
        • The
          Name
           you entered in step 2.4.
        • The
          Client ID
           and
          Client secret
           you copied in step 2.5 (if you did not do so in the previous step).
        • The
          Authorized redirect URIs
           you copied in step 1.4.
      2. Enter the application name you entered in step 2.4 as the
        Client Name
        .
      3. Enter the
        Client ID
         you copied in step 2.5.
      4. Enter the
        Client Secret
         you copied in step 2.5.
      5. Enter the
        Authorized redirect URIs
         that you copied in step 1.4 as the
        Issuer URL
        .
      6. (Optional) If you have your
        Endpoint URL
        , enter it here. If not, continue to the next step (the Cloud Identity Engine populates the
        Endpoint URL
         automatically after you successfully test the connection).
      7. Click
        Test Connection
         and log in to confirm that the Cloud Identity Engine can reach your Google IdP using OIDC.
        If you did not enter the OIDC Issuer URL in the previous step, the Cloud Identity Engine automatically populates the information.
      8. After confirming that the connection is successful,
        Submit
         the configuration.
        You can now use OIDC as an authentication type when you Set Up an Authentication Profile.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.