To provide information for policy or event context (for example, about users, groups, devices, or other types of identifying data), Palo Alto Networks cloud-based applications and services may need to access directory information to enforce security policy consistently across the devices in your network. The Cloud Identity Engine collects attributes from your directory and stores them in a secure cloud-based infrastructure that allows your Palo Alto Networks applications and services to access the directory information.

When you configure an authentication type (either a client certificate or a SAML 2.0-based identity provider) in the Cloud Identity Engine, you can configure the Palo Alto Networks firewall to use that authentication type for user authentication in an Authentication policy rule. Configuring both user identification and user authentication using the Cloud Identity Engine provides a single-source identity solution that can adapt as your security needs change and users change locations or roles within your organization.

You can also use the Cloud Identity Engine with other Palo Alto Networks products, applications, and features, such as Device-ID, User-ID, Strata Cloud Manager, Cortex XDR, and Prisma Access. By combining the identity and authentication capabilities of the Cloud Identity Engine with other Palo Alto Networks products and services, you can strengthen the security posture of your network and provide a more comprehensive view of user activity and data.