Cloud Identity Engine System Requirements
Table of Contents
Expand all | Collapse all
-
- Cloud Identity Engine System Requirements
- New Features Introduced in April 2024
- New Features Introduced in March 2024
- New Features Introduced in February 2024
- New Features Introduced in January 2024
- New Features Introduced in November 2023
- New Features Introduced in October 2023
- New Features Introduced in August 2023
- New Features Introduced in July 2023
- New Features Introduced in June 2023
- New Features Introduced in May 2023
- New Features Introduced in April 2023
- New Features Introduced in January 2023
- New Features Introduced in November 2022
- New Features Introduced in October 2022
- New Features Introduced in June 2022
- New Features Introduced in May 2022
- New Features Introduced in April 2022
- New Features Introduced for the Cloud Identity Agent
- Cloud Identity Engine Known and Addressed Issues
- Get Help
Cloud Identity Engine System Requirements
System requirements for the Cloud Identity Engine.
Cloud Identity Agent Host System Requirements
You must disable SSL decryption on the firewall for traffic to or from the agent host.
- Windows Server 2012, 2012 R2, 2016, 2019, or 2022.
- 10 GB or more of hard drive space (or space equivalent to the amount of data fetched from the Active Directory).
- 8 GB or more of RAM.
- Administrator privileges to install the agent, configure it, and import the certificate you generate in the Cloud Identity Engine app.
- A service account with permissions to execute LDAP queries against the domains where you want to collect attributes.
- Access to OCSP on port 80 for server certificate verification.
- Network connectivity to the domain controller and the Cloud Identity Engine app.
- TLS 1.2 to allow traffic from the agent host to the Cloud Identity Engine app.
- The required cipher suites for the agent.
- Access to the following TCP ports from the agent host:Destination PortProtocolDescription80TCPPort the agent uses for server certificate verification.443SSLDefault port the agent uses to connect to the Cloud Identity Engine.636LDAPSPort the agent uses when you select LDAPS as the secure protocol for communication between the agent and your directory.389LDAP or LDAP with STARTTLSPort the agent uses when you select LDAP or LDAP with STARTTLS for communication between the agent and your directory.If you use LDAP without Start TLS, communication between the agent and the directory isn’t encrypted.When you configure the Active Directory in the Cloud Identity agent, don’t configure the agent to use the Global Catalog port (3268 for LDAP or 3269 for LDAPS).If you’re also using the Terminal Server (TS) agent, we recommend that you don’t install the Cloud Identity agent on the same host as the TS agent. If you must install both agents on the same host, you must change the default listening port on the TS agent.
Smart Card Requirements
The Cloud Identity
Engine, when integrated with GlobalProtect, supports certificate-based two-factor authentication using
smart cards that meet the following requirements:
- Windows 10 or later versions
- Mac OS X or later versions
- Firefox, Chrome, or Safari
If you aren’t using a smart card, you must import the certificate to the system level for
certificate-based authentication.
Supported Directories
The Cloud Identity
Engine supports the following directory types:
On-Premises
Directory System Requirements
Verify that you have enabled TLS 1.1 or TLS 1.2. Directory Sync Service requires one of these
protocols, which are disabled by default on Windows Server 2012. We strongly
recommend using TLS 1.3. If you’re using Windows Server 2012, install the
required update to enable TLS 1.1 or TLS 1.2.
An
on-premises Windows server running Active Directory or OpenLDAP.
Use one of the following:
- Windows Server 2022
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
If you select a secure LDAP protocol for the communication between the agent and the
directory, verify that protocol is enabled on your directory. For more information,
refer to Microsoft support.
Azure
Active Directory System Requirements
Administrator privileges
to the Azure Active Directory to grant the following permissions
for the Cloud Identity Engine:
- Read your organization’s directory data.
- Maintain access to the directory data.
- View user email addresses.
- Sign users in to see basic user profile information.
For more information on requirements for Azure Active Directory, refer to the Cloud Identity Engine Getting Started
guide.
Okta
Directory System Requirements
Read-Only Administrator privileges to the Okta Directory to grant the following permissions for
the Cloud Identity Engine:
- Allow the app to manage authorization servers.
- Allow the app to read information about groups and their members in your Okta organization.
- Allow the app to read information about System Log entries in your Okta organization.
- Allow the app to read any user's profile and credential information.
- Allow the app to read the currently signed-in user's profile and credential information.
For more information on requirements for Okta directory, refer to the Cloud Identity Engine Getting Started
guide.
Google
Cloud Identity
Administrator privileges to Google Cloud
Identity to grant the following permissions for the Cloud Identity
Engine:
- Admin console privileges
- Organizational Units > Read
- Users > Read
- Groups
- Services > Mobile Device Management > Manage Devices and Settings
- Services > Chrome Management > Settings > Manage Chrome OS > Devices > Manage Chrome OS Devices (read only)
- Domain Settings
- Admin API privileges
- Organization Units > Read
- Users > Read
- Groups
- Groups > Create
- Groups > Read
- Groups > Update
- Groups > Delete
- Billing Management > Billing Read
- Domain Management
For more information on requirements for Google Cloud Identity, refer to the Cloud Identity Engine Getting Started
guide.
Cloud Identity Engine App System Requirements
Access
to the Cloud Identity Engine app requires the following:
- A supported browser, such as Google Chrome (see Hub Browser Support for a list of supported browsers).
- Access to the hub with an App Administrator role.
Regional Data Storage Requirements
The
Cloud Identity Engine stores your directory data in a secure cloud-based infrastructure.
The Cloud Identity Engine is hosted on Google Cloud Platform and data
is stored in Mongo DB Atlas in the region you select. You can select
one of the following regions for each Cloud Identity Engine instance:
- United States (US)
- European Union (EU)
- United Kingdom (UK)
- Singapore (SG)
- Canada (CA)
- Japan (JP)
- Australia (AU)
- Germany (DE)
- United States - Government
- India (IN)
- Switzerland (CH)
- Spain (ES)
- Italy (IT)
- France (FR)
- China (CN)
- Poland (PL)
- Qatar (QA)
- Taiwan (TW)
- Israel (IL)
- Indonesia (ID)
- Saudi Arabia (SA)
If you authorize an application
in a region other than the region of your Cloud Identity Engine
instance, the Cloud Identity Engine transfers the directory data
that the application needs to that region. For example, if you authorize
an application running outside the EU, that application can access
Cloud Identity Engine data stored in the EU. You can associate some
applications, such as Cortex XDR, only with a Cloud Identity Engine
instance in the same region as the application. To check the status
of the Cloud Identity Engine, refer to https://status.paloaltonetworks.com.