>
    Strata Copilot
    Configure an OIDC Authentication Type
    Focus
    Download PDF
    Focus
    1. Home
    2. Identity
    3. Authenticate Users with the Cloud Identity Engine
    4. Configure an OIDC Authentication Type
    Download PDF
    Identity

    Configure an OIDC Authentication Type

    Table of Contents

    Configure an OIDC Authentication Type

    Learn how to configure OpenID Connect (OIDC) as an authentication type for the Cloud Identity Engine.
    Where Can I Use This?What Do I Need?
    • NGFW
    • Prisma Access
    		The Cloud Identity Engine service is free; however, the enforcement points utilizing directory data may require specific licenses. Click here for more information.
    OpenID Connect (OIDC) authentication provides a modern, flexible method for verifying user identities within the Cloud Identity Engine. Built upon the OAuth 2.0 framework, OIDC enables Single Sign-On (SSO), allowing users to access supported applications and resources after logging in just once. This approach streamlines the user experience by reducing the frequency of re-authentication prompts while ensuring that security policies are consistently enforced based on user attributes collected from the provider.
    The Cloud Identity Engine supports OIDC integration with major identity providers, including Microsoft Entra ID (Azure AD), Okta, PingOne, and Google. By configuring an OIDC authentication type, you establish a direct trust relationship that allows the engine to validate credentials and retrieve identity data. It is important to note that currently, the OIDC authentication type is supported specifically for the Prisma Access Browser and is not available for use with GlobalProtect or the Authentication Portal.
    The OIDC authentication type supports the Prisma® Access Browser. It does not support GlobalProtect™ or Authentication Portal.
    To configure an OpenID Connect (OIDC) provider as an authentication type in the Cloud Identity Engine, complete the following steps for your identity provider (IdP) type.
    When you configure OIDC as an authentication type, the Cloud Identity Engine determines the username attribute using the following order (where if the current attribute isn’t found, the Cloud Identity Engine attempts to match using the next attribute in the list):
    1. email
    2. preferred_username
    3. username
    4. sub

    Set Up OIDC Authentication (Azure)

    Learn about setting up OIDC authentication for Azure in CIE.
    1. Set up OIDC as an authentication type in the Cloud Identity Engine.
      1. Select AuthenticationAuthentication TypesAdd New Authentication Type.
      2. Set Up the OIDC authentication type.
      3. Enter a unique and descriptive Authentication Type Name for your OIDC configuration.
      4. Copy the Callback URL/ Redirect URL.
      5. Select the JWT Encryption Algorithm that you want to use.
        The default value is RS256, default for most Identity Providers.
    2. Configure Azure to use OIDC with the Cloud Identity Engine.
      1. Log in to the Azure account you want to use to connect to the Cloud Identity Engine.
      2. Click App registration.
      3. Click New registration.
      4. Enter a Name for the application.
      5. Select Accounts in this organizational directory only.
      6. For the Redirect URI, enter the domain for your Cloud Identity Engine instance and append oidc/callback
      7. Click Register to submit the configuration.
      8. Click Add user/group and add the users or groups you want to be able to configure OIDC as an authentication type (for example, service accounts).
    3. Obtain the information you need to complete your OIDC Azure configuration.
      1. Select the application you just created then click Overview.
      2. Copy the Display name and Application (client) ID and save them in a secure location.
      3. Click Add a certificate or secret.
        Don’t allow the client secret to expire. If the client secret isn’t up to date, users can’t log in using OIDC.
      4. Select Client secrets then click New client secret.
        Don’t allow the client secret to expire. If the client secret isn’t up to date, users can’t log in using OIDC.
      5. Select when the secret Expires then click Add.
        Don’t allow the client secret to expire. If the client secret isn’t up to date, users can’t log in using OIDC.
      6. Copy the Value of the client secret and save them in a secure location.
        Because the secret displays only once, be sure to copy the information before closing or leaving the page. Otherwise, you must create a new secret.
        Don’t allow the client secret to expire. If the client secret isn’t up to date, users can’t log in using OIDC.
      7. (Optional) Select OverviewEndpoints and Copy the OpenID Connect metadata document up to /2.0 (the well-known/openid-configuration section of the URL isn't necessary).
    4. Complete and submit the OIDC configuration.
      1. Enter the Display name you copied from Azure in step 3 as the Client Name.
      2. Enter the Client ID you copied from Azure in step 3.
      3. Enter the Value you copied from Azure in step 3 as the Client Secret.
      4. Enter https://login.microsoftonline.com/organizations/2.0/ as the Issuer URL.
      5. (Optional) Enter the Endpoint URL you copied in step 3.
      6. Click Test Connection and log in to confirm that the Cloud Identity Engine can reach your Azure IdP using OIDC.
        If you did not enter the OIDC Issuer URL in the previous step, the Cloud Identity Engine automatically populates the information.
      7. After confirming that the connection is successful, Submit the configuration.
        You can now use OIDC as an authentication type when you Set Up an Authentication Profile.

    Set Up OIDC Authentication (Okta)

    Learn about setting up OIDC authentication for Okta in CIE.
    1. Set up OIDC as an authentication type in the Cloud Identity Engine.
      1. Select AuthenticationAuthentication TypesAdd New Authentication Type.
      2. Set Up the OIDC authentication type.
      3. Enter a unique and descriptive Authentication Type Name for your OIDC configuration.
      4. Copy the Callback URL/ Redirect URL.
    2. Configure Okta to use OIDC with the Cloud Identity Engine.
      1. Sign in to Okta.
      2. Select ApplicationsApplications.
      3. Click Create App Integration.
      4. Select OIDC - OpenID Connect as the Sign-in method and Web Application as the Application Type then click Next.
      5. Enter an App integration name.
      6. Click Add URI and enter the information you copied in step 1.
      7. Select the Controlled Access you want to allow then click Save.
    3. Obtain the information you need to complete your OIDC Okta configuration.
      1. Copy the Client ID.
      2. Copy the Secret.
        The secret for Okta does not expire.
    4. Complete and submit the OIDC configuration.
      1. Enter the App integration name you entered in Okta in step 2 as the Client Name.
      2. Enter the Client ID you copied from Okta in step 3.
      3. Enter the Secret you copied from Okta in step 3 as the Client Secret.
      4. Enter the domain name URL for your Okta IdP as the Issuer URL.
      5. (Optional) If you have your Endpoint URL, enter it here. If not, continue to the next step (the Cloud Identity Engine populates the Endpoint URL automatically after you successfully test the connection).
      6. Click Test Connection and log in to confirm that the Cloud Identity Engine can reach your Okta IdP using OIDC.
        If you did not enter the OIDC Issuer URL in the previous step, the Cloud Identity Engine automatically populates the information.
      7. After confirming that the connection is successful, Submit the configuration.
        You can now use OIDC as an authentication type when you Set Up an Authentication Profile.

    Set Up OIDC Authentication (PingOne)

    Learn about setting up OIDC authentication for PingOne in CIE.
    1. Set up OIDC as an authentication type in the Cloud Identity Engine.
      1. Select AuthenticationAuthentication TypesAdd New Authentication Type.
      2. Set Up the OIDC authentication type.
      3. Enter a unique and descriptive Authentication Type Name for your OIDC configuration.
      4. Copy the Callback URL/ Redirect URL.
    2. Configure PingOne to use OIDC with the Cloud Identity Engine.
      1. Sign On to your PingOne account.
      2. Select Applications.
      3. Select OIDC then click Add Application.
      4. Select Web App then click Next.
      5. Enter an Application Name, a Short Description for the app, and select the app Category, then click Next.
    3. Continue the OIDC Okta configuration.
      1. Click Add Secret then click Next.
      2. Enter the Start SSO URL and the Redirect URIs then click Next.
      3. Click Next.
        No configuration changes are necessary for this step.
      4. Add all the scopes in the List of Scopes to the Connected Scopes then click Next.
      5. Select Email (Work) as the sub attribute then click Next.
      6. Select all the Available Groups and add them to the Added Groups then click Done.
    4. Obtain the information you need to complete your OIDC PingOne configuration and enter it in your Cloud Identity Engine configuration.
      1. Copy the following information from your configuration and save it in a secure location:
        • The Application Name you entered in step 2.
        • The Client ID and Client Secrets you added in step 3.
          Don’t allow the client secret to expire. If the client secret isn’t up to date, users can’t log in using OIDC.
        • The Issuer URL (as shown below).
      2. Enter the Application Name you entered in PingOne in step 2 as the Client Name.
      3. Enter the Client ID you created in PingOne in step 3.
      4. Enter the Client Secrets you created in PingOne in step 3 as the Client Secret.
      5. Enter the Issuer URL for your PingOne IdP that you copied in step 4 as the Issuer URL.
      6. (Optional) If you have your Endpoint URL, enter it here. If not, continue to the next step (the Cloud Identity Engine populates the Endpoint URL automatically after you successfully test the connection).
      7. Click Test Connection and log in to confirm that the Cloud Identity Engine can reach your PingOne IdP using OIDC.
        If you did not enter the OIDC Issuer URL in the previous step, the Cloud Identity Engine automatically populates the information.
      8. After confirming that the connection is successful, Submit the configuration.
        You can now use OIDC as an authentication type when you Set Up an Authentication Profile.

    Set Up OIDC Authentication (Google)

    Learn about setting up OIDC authentication for Google in CIE.
    1. Set up OIDC as an authentication type in the Cloud Identity Engine.
      1. Select AuthenticationAuthentication TypesAdd New Authentication Type.
      2. Set Up the OIDC authentication type.
      3. Enter a unique and descriptive Authentication Type Name for your OIDC configuration.
      4. Copy the Callback URL/ Redirect URL.
    2. Configure Google to use OIDC with the Cloud Identity Engine.
      1. Select your account and Enter your password then click Next.
      2. Create a new project or select an existing project.
      3. Enable the Identity and Access Management (IAM) API (if it's not already enabled).
      4. Select APIs & ServicesOAuth consent screen then configure the OAuth consent screen.
      5. Create your OAuth 2.0 credentials, copy the Client ID and Client Secret, and store them in a secure location.
        Don’t allow the client secret to expire. If the client secret isn’t up to date, users can’t log in using OIDC.
    3. Obtain the information you need to complete your OIDC Google configuration and enter it in your Cloud Identity Engine configuration.
      1. Copy the following information from your configuration and save it in a secure location:
        • The Name you entered in step 2.
        • The Client ID and Client secret you copied in step 2 (if you did not do so in the previous step).
        • The Authorized redirect URIs you copied in step 1.
      2. Enter the application name you entered in step 2 as the Client Name.
      3. Enter the Client ID you copied in step 2.
      4. Enter the Client Secret you copied in step 2.
      5. Enter the Authorized redirect URIs that you copied in step 1 as the Issuer URL.
      6. (Optional) If you have your Endpoint URL, enter it here. If not, continue to the next step (the Cloud Identity Engine populates the Endpoint URL automatically after you successfully test the connection).
      7. Click Test Connection and log in to confirm that the Cloud Identity Engine can reach your Google IdP using OIDC.
        If you did not enter the OIDC Issuer URL in the previous step, the Cloud Identity Engine automatically populates the information.
      8. After confirming that the connection is successful, Submit the configuration.
        You can now use OIDC as an authentication type when you Set Up an Authentication Profile.

    © 2026 Palo Alto Networks, Inc. All rights reserved.