>
    Strata Copilot
    Create a Workload Identity Federation Built-in Account
    Focus
    Focus
    1. Home
    2. Next‑Gen Trust Security
    3. Next-Gen Trust Security
    4. Next-Gen Trust Security Overview
    5. Built-in Accounts Overview
    6. Create a Workload Identity Federation Built-in Account
    Next‑Gen Trust Security

    Create a Workload Identity Federation Built-in Account

    Table of Contents

    Create a Workload Identity Federation Built-in Account

    This guide covers creating built-in accounts that use Workload Identity Federation (WIF) for authentication. This authentication method applies to:
    • cert-manager Enterprise Issuer - Allows cert-manager to request certificates from Control Plane
    • Custom API Integration - Securely authenticate with Next-Gen Trust Security APIs
    Both use cases leverage third-party issued tokens for authentication, utilizing Workload Identity Federation.
    What is Workload Identity Federation?
    Workload Identity Federation allows your applications to securely authenticate with Next-Gen Trust Security without having to manage and secure long-lived credentials (like passwords or API keys). Instead, it uses short-lived tokens obtained from a trusted Identity Provider (IdP). This means your application proves its identity to the IDP and receives a token, which it can then use to access Next-Gen Trust Security. Learn more

    Before You Begin

    Before creating a Workload Identity Federation built-in account, you must complete the following tasks. Refer to your IdP’s documentation to complete these tasks:
    1. Register your application with your IdP: To authenticate using Workload Identity Federation, your application must be registered with your IdP. This registration process involves setting up your application within the IDP to recognize and authorize it as a legitimate entity. You’ll also use the information from your JWT when creating the built-in account in Next-Gen Trust Security (see item 3, "Gather JWT Information".)
    2. Configure your IdP to use supported JWT signing algorithms: Ensure that the JWT (JSON Web Token) issued by your IdP are compatible with Next-Gen Trust Security. This involves configuring your IdP to use one of the supported JWT signing algorithms. You should be able to do this within your IdP’s management console or configuration API. This configuration is important for maintaining security integrity and ensuring smooth interoperability between your IdP and Next-Gen Trust Security.
    3. Obtain a JWT token: During the registration process, your IdP will provide a JWT that your application will use to authenticate requests. This token contains critical information that the built-in account creation process will utilize.
    4. Gather JWT Information: Extract the necessary details from the JWT provided by your IdP, such as the issuer, subject, and audience. This information will be required when setting up your built-in account to ensure it is properly configured to authenticate using the token.
    Important:
    • Ensure that the JWT includes all required claims as specified by your built-in account setup. Missing information may prevent the built-in account from functioning correctly.
    • Verify that the JWT’s lifespan aligns with your built-in account’s usage pattern. Tokens with a very short lifespan might need to be refreshed often, depending on your application’s needs.
    • JWTs used for Workload Identity Federation must not be valid for more than 2 hours (based on the difference between the iat and exp claims). JWTs with a validity period longer than 2 hours will be rejected during validation.
    By completing these prerequisites, you ensure that your built-in accounts are configured correctly and ready to handle authentication requests using modern security protocols.

    To Create a Workload Identity Federation Built-in Account

    1. On the Details screen, select Workload Identity Federation as the authentication method, and then click Continue.
    2. Select the desired Scope (either "cert-manager Enterprise Issuer" or "Custom API Integration"), making sure it matches the permissions and access requirements of your built-in account, and then click Continue. Learn more
    3. Fill in the credentials with the specific information required for authentication:
      • Issuer URL: Enter the URL provided by the third-party token service.
        • Example: https://<ISSUER-URL>/.githubusercontent.com
      • JWKS URI: Enter the URI where the JSON Web Key Set (JWKS) can be retrieved.
        • Example: https://www.example.com/.well-known/jwks.json
      • Subject Identifier: Enter the unique identifier for the subject within the issuing authority's namespace.
        • Example: hssTpeOoP7YsTh9FboCG44PJQzWy0@clients
      • Audience: Enter the intended audience for the token, which is usually the API or resource that the token is intended to access.
        • Example: https://api.venafi.cloud
    4. After entering all the details, review the information to ensure it's correct and then click Finish to create the new built-in account.
    After the JWT is used to request access, you'll receive an access token. You can then use that token to interact with supported APIs. You can review the workflow here.
    Access tokens issued by a Next-Gen Trust Security token endpoint have a 15-minute expiry. This 15-minute access token is issued after your JWT is validated, and it does not depend on the JWT's original lifetime. Your JWT may be valid for up to 2 hours, but after validation, Next-Gen Trust Security exchanges it for a short-lived internal access token to improve security.

    © 2026 Palo Alto Networks, Inc. All rights reserved.