>
    Strata Copilot
    Configure Cloud Identity Engine Authentication
    Focus
    Download PDF
    Focus
    1. Home
    2. Identity
    3. Authenticate Users with the Cloud Identity Engine
    4. Configure Cloud Identity Engine Authentication
    Download PDF
    Identity

    Configure Cloud Identity Engine Authentication

    Table of Contents

    Configure Cloud Identity Engine Authentication

    Learn about configuring authentication in Strata Cloud Manager or PAN-OS & Panorama.
    Where Can I Use This?What Do I Need?
    • NGFW
    • Prisma Access
    		The Cloud Identity Engine service is free; however, the enforcement points utilizing directory data may require specific licenses. Click here for more information.
    Configuring cloud identity authentication integrates your network security infrastructure with the Cloud Identity Engine to enforce consistent user verification. After defining your identity providers—such as Microsoft Entra ID (Azure AD), Okta, or Google—within the Cloud Identity Engine application, you must configure your management interface to utilize these definitions for network access control.
    Functioning as a central broker, the Cloud Identity Engine decouples your firewalls and SASE services from the specific details of your identity providers. Instead of configuring complex SAML connections on individual devices, you create a single Authentication Profile that points to the Cloud Identity Engine. When a user attempts to access a protected resource, your security policy directs the request to the engine, which manages the interaction with the appropriate identity provider to verify credentials and Multi-Factor Authentication (MFA) requirements.
    This abstraction allows you to update identity sources or rotate certificates in the cloud without modifying the configuration on your physical or virtual firewalls. Whether you manage your network through Stra ta Cloud Manager, Panorama, or locally on the firewall, the workflow involves referencing the cloud-based profile you created to enable seamless, policy-based authentication for your users.

    Configure Cloud Identity Engine Authentication on the Firewall or Panorama

    After you Configure the Cloud Identity Engine as a Mapping Source on the Firewall or Panorama and Set Up a SAML 2.0 Authentication Type, Set Up a Client Certificate, or both, you can create an authentication profile that redirects users to the authentication type (either a client certificate or a SAML 2.0-compliant identity provider) you configure for authentication.
    The Cloud Identity Engine supports group mapping. If you want to enable IP address-to-username mapping, configure Authentication Portal or GlobalProtect.
    If you use Panorama to manage your firewalls, configure an authentication profile in Panorama then push the authentication profile to the managed firewalls.
    Some steps in the following procedure are required only if you want to configure an authentication policy rule on the firewall using the Cloud Identity Engine and aren’t required if you want to authenticate administrators or to authenticate users with Prisma Access or GlobalProtect. These steps are indicated below.
    1. Configure an authentication profile to use the Cloud Authentication Service.
      1. On the firewall, select DeviceAuthentication Profile.
      2. Enter a Name for the authentication profile.
      3. Select Cloud Authentication Service as the Type.
      4. Select the Region of your Cloud Identity Engine tenant.
        For more information on regions, refer to Cloud Identity Engine Tenants.
      5. Select the Cloud Identity Engine Instance you want to use for this authentication profile.
        For more information on Cloud Identity Engine tenants, refer to Cloud Identity Engine Tenants.
      6. Select an authentication Profile that specifies the authentication type you want to use to authenticate users.
      7. Specify the Maximum Clock Skew (seconds), which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
      8. Select Force multi-factor authentication in cloud if your IdP is configured to require users to log in using multi-factor authentication (MFA).
    2. (Required for authentication policy rule only) Configure the Authentication Portal settings to use the authentication profile.
      1. Select DeviceUser IdentificationAuthentication Portal Settings.
      2. Edit the settings and select the Authentication Profile from the first step.
      3. Select Redirect as the Mode.
        For more information on how to configure redirect mode, refer to Configure Authentication Portal.
      4. Click OK.
    3. (Required for authentication policy rule only) Create an Authentication Enforcement object that uses the authentication profile to redirect users to log in using their authentication type.
      1. Select ObjectsAuthentication.
      2. Add an Authentication Enforcement object and enter a Name for the object.
      3. Select web-form as the Authentication Method.
      4. Select the Authentication Profile from the first step.
      5. (Optional) Enter a Message to display to users.
      6. Click OK.
    4. Create a URL list as a custom URL category to allow the necessary traffic for the Cloud Identity Engine.
      1. If you don’t need to strictly limit traffic to your region, you can enter *.apps.paloaltonetworks.com. Otherwise, determine your region-based URL using the show cloud-auth-service-regions command to display the URLs for the region associated with your Cloud Identity Engine tenant and enter each region-based URL. The following table includes the URLs for each region:
        RegionCloud Identity Engine Region-Based URL
        United Statescloud-auth.us.apps.paloaltonetworks.com
        cloud-auth-service.us.apps.paloaltonetworks.com
        Europecloud-auth.nl.apps.paloaltonetworks.com
        cloud-auth-service.nl.apps.paloaltonetworks.com
        United Kingdomcloud-auth.uk.apps.paloaltonetworks.com
        cloud-auth-service.uk.apps.paloaltonetworks.com
        Singaporecloud-auth.sg.apps.paloaltonetworks.com
        cloud-auth-service.sg.apps.paloaltonetworks.com
        Canadacloud-auth.ca.apps.paloaltonetworks.com
        cloud-auth-service.ca.apps.paloaltonetworks.com
        Japancloud-auth.jp.apps.paloaltonetworks.com
        cloud-auth-service.jp.apps.paloaltonetworks.com
        Australiacloud-auth.au.apps.paloaltonetworks.com
        cloud-auth-service.au.apps.paloaltonetworks.com
        Germanycloud-auth.de.apps.paloaltonetworks.com
        cloud-auth-service.de.apps.paloaltonetworks.com
        United States - Governmentcloud-auth-service.gov.apps.paloaltonetworks.com
        cloud-auth.gov.apps.paloaltonetworks.com
        Indiacloud-auth-service.in.apps.paloaltonetworks.com
        cloud-auth.in.apps.paloaltonetworks.com
        Switzerlandcloud-auth-service.ch.apps.paloaltonetworks.com
        cloud-auth.ch.apps.paloaltonetworks.com
        Spaincloud-auth-service.es.apps.paloaltonetworks.com
        cloud-auth.es.apps.paloaltonetworks.com
        Italycloud-auth-service.it.apps.paloaltonetworks.com
        cloud-auth.it.apps.paloaltonetworks.com
        Francecloud-auth-service.fr.apps.paloaltonetworks.com
        cloud-auth.fr.apps.paloaltonetworks.com
        Chinacloud-auth-service.cn.apps.prismaaccess.cn
        cloud-auth.cn.apps.prismaaccess.cn
        This region is only accessible in the Cloud Identity Engine within the specified region.
        Polandcloud-auth-service.pl.apps.paloaltonetworks.com
        cloud-auth.pl.apps.paloaltonetworks.com
        Qatarcloud-auth-service.qa.apps.paloaltonetworks.com
        cloud-auth.qa.apps.paloaltonetworks.com
        Taiwancloud-auth-service.tw.apps.paloaltonetworks.com
        cloud-auth.tw.apps.paloaltonetworks.com
        Israelcloud-auth-service.il.apps.paloaltonetworks.com
        cloud-auth.il.apps.paloaltonetworks.com
        Indonesiacloud-auth-service.id.apps.paloaltonetworks.com
        cloud-auth.id.apps.paloaltonetworks.com
        South Koreacloud-auth-service.kr.apps.paloaltonetworks.com
        cloud-auth.kr.apps.paloaltonetworks.com
        Saudi Arabiacloud-auth-service.sa.apps.paloaltonetworks.com
        cloud-auth.sa.apps.paloaltonetworks.com
        South Africacloud-auth-service.za.apps.paloaltonetworks.com
        cloud-auth.za.apps.paloaltonetworks.com
      2. Enter the URLs that your IdP requires for user authentication (for example, *.okta.com).
    5. Create a security policy rule to allow traffic to the authentication type and Cloud Identity Engine and select the custom URL category as the match criteria.
    6. Create a internet management profile in the trusted zone and enable response pages.
    7. (Required for authentication policy rule only) Configure an Authentication policy rule to use the Authentication Enforcement object and allow traffic to the custom URL category.
    8. (Panorama only) If you use Panorama to manage multiple firewalls, configure the Cloud Identity Engine for Panorama.
      1. Select the Cloud Identity Engine authentication method you want to use with Panorama.
        • To configure the Cloud Identity Engine in an authentication profile for managed devices, select DeviceAuthentication Profile.
        • To use the Cloud Identity Engine in an authentication profile for Panorama administrators, select PanoramaAuthentication Profile.
      2. Select PanoramaSetupManagement and Edit the Authentication Settings, then select the Authentication Profile for the Cloud Identity Engine tenant you want to associate with Panorama.
      3. Select PanoramaDevice Groups and Add or Edita device group.
      4. Select the Cloud Identity Engine and Add the Cloud Identity Engine tenant you want to associate with Panorama then click OK.
    9. Commit your changes and verify that the firewall redirects authentication requests to the Cloud Authentication Service.
      1. On the client device, use the browser to access a webpage that requires authentication.
      2. Confirm that the access request redirects to the Cloud Authentication Service.
      3. Enter your credentials to log in.

    © 2026 Palo Alto Networks, Inc. All rights reserved.