Learn about how to configure CIE as a mapping source for User-ID.
| Where Can I Use This? | What Do I Need? |
|---|
|
| The Cloud Identity Engine service is free; however, the
enforcement points utilizing directory data may require specific
licenses. Click here for more
information. |
When you configure the Cloud Identity Engine as a User-ID source, the firewall or
Panorama retrieves the group mapping information from the Cloud Identity Engine. You
can then use the group information from the Cloud Identity Engine to create and
enforce group-based security policy rules.
If your tenant contains an Okta directory that uses
subdomains, enter the following CLI command on the firewall before configuring the
Cloud Identity Engine profile: debug user-id dscd subdomains on.
This command is disabled by default. To disable the subdomain capability, use the
debug user-id dscd subdomains off CLI command. These commands
are supported for PAN-OS version 10.2.9.
The Cloud Identity Engine retrieves the information for your tenant based on your
device certificate. It also uses the Palo Alto Networks Services
service route, so make sure to allow
traffic for this service route or
configure a custom service route.
To ensure that the Cloud Identity Engine can successfully
retrieve users and groups, all user or group names must meet the following
requirements: the name is case-sensitive and can have up to 63 characters on the
firewall or up to 31 characters on Panorama. It must be unique and use only letters,
numbers, hyphens, and underscores.
