User Authentication is the step where a person proves they are who they say they are, typically by entering a username and password. The Cloud Identity Engine simplifies this by acting as a "broker" or middleman for these login requests. This service is often referred to as the Cloud Authentication Service.

Here is how it works in practice: When a user tries to access a protected application or sign in to the network remotely, the security device (like a firewall) stops them and asks for identification. Instead of the firewall trying to check the password itself, it redirects the user to the Cloud Identity Engine. The Cloud Identity Engine then passes the user along to your company’s official login system—whether that is Microsoft, Google, Okta, or another provider.

Once the user successfully logs in on that official page, the login system gives a "thumbs up" to the Cloud Identity Engine, which passes that approval back to the firewall to let the user in. This approach allows you to set up your login requirements (like requiring a password plus a code from a phone app) in just one place. You can even set up "Authentication Profiles" that apply different login rules to different groups of people—for example, requiring stronger proof of identity for IT administrators than for regular guest users. This makes the login experience smoother for users while keeping the network secure.

To configure the service to verify user credentials using SAML 2.0 identity providers or client certificates, proceed to the chapter Authenticate Users with the Cloud Identity Engine.