Get User and Group Information Using the Cloud Identity Engine
Table of Contents
Get User and Group Information Using the Cloud Identity Engine
Use the Cloud Identity Engine to retrieve user and group
information for Prisma Access.
Prisma Access retrieves user and group information
from your organization’s cloud directory or Active Directory (AD),
to enforce user- and group-based policy. Optionally, Prisma Access retrieves
user behavior-based risk signals from some cloud directory vendors,
such as Azure Active Directory, to enforce automated security actions.
You can simplify the retrieval of user and group information by
using the Cloud Identity Engine.
In
addition to simplifying user and group information retrieval, integrating
the Cloud Identity Engine with Prisma Access can free up the bandwidth
and load on your cloud directory or AD.
You can use the Cloud
Identity Engine to retrieve user and group information for Prisma
Access for mobile users, remote networks, or both, by completing
the following steps.
The Cloud Identity Engine integration
with Prisma Access has the following implementation restrictions:
- Make sure that the groups you use with Cloud Identity Engine do not have any of the following special characters, because Prisma Access does not support the use of following special characters in groups and commit operations will fail:
- " (Double quotes)
- ' (Apostrophe)
- < (less than sign)
- > (greater than sign)
- & (ampersand)
- If you associate Cloud Identity Engine with Prisma Access, your user names must use the NetBIOS format that includes the domain. You can specify usernames in email format (username@domain), NetBIOS\sAMAccountName format, or User Principal Name (UPN) format (username@domain.com).
- Enter group names in the distinguishedName format (for example, CN=Users,CN=Builtin,DC=Example,DC=com).
- Cloud Identity Engine does not apply any settings you specify in the group include list (); instead, it retrieves user and group information from your entire configuration, including groups used in all device groups and templates.
- Create a Cloud Identity Engine
instance for Prisma Access, and make a note of the instance
name.When you activate the Cloud Identity Engine, it creates an instance. You use the instance name when you associate the Cloud Identity Engine with Prisma Access in a later step. Optionally, if you need to create a separate instance for Prisma Access, create it and make a note of the instance name.
- Configure the Cloud Identity Engine to
retrieve your directory data.
![]()
- (Deployments with on-premises Active Directory only) If you use an on-premises Active Directory, Install and configure the Cloud Identity Agent to communicate with your on-premises AD and configure mutual authentication between the Cloud Identity Engine service and the agent.
- Associate the Cloud Identity
Engine with the Panorama app.
- Log in to the hub, click the gear icon to edit the Settings, then Manage Apps.
- Select the Panorama app.
![]()
- Select the Cloud Identity Engine instance
you want to associate with the app and click OK.
![]()
- Associate the Panorama that manages Prisma Access with
Cloud Identity Engine in the hub.Using the Cloud Identity Engine with Prisma Access is not supported in a multitenant environment.
- Find
the serial number of the Panorama that manages Prisma Access by selecting
the Dashboard and noting the Serial
# that displays.
![]()
- Log in to the Palo Alto Networks hub and select Panorama.
- Find the serial number of the Panorama that manages
Prisma Access, select it, then select Add Directory Sync.
![]()
- Enter the Directory Sync instance
you retrieved in Step 1.You do not need to select the Region; the Cloud Identity Engine uses the same region that Prisma Access uses for Strata Logging Service.
![]()
- Click OK when complete.
- (Optional) If you need to edit an existing
Cloud Identity Engine instance after you create it, select Prisma
Access - DirSync Mapping, select the Panorama’s serial number,
select Edit, and enter the following information
in the window that displays:
- Enter a Name for the Cloud Identity Engine - Prisma Access mapping.
- Optionally, enter a Description for the mapping.
- Select the Directory Sync instance name that you noted in Step 1.
The Region and Serial Number fields populate automatically.![]()
![]()
- Find
the serial number of the Panorama that manages Prisma Access by selecting
the Dashboard and noting the Serial
# that displays.
- Enable the Cloud Identity Engine on Prisma Access.
- On the Panorama that manages Prisma Access,
select the username-to-user group mapping setting tab.
- For a Mobile Users—GlobalProtect deployment, select , select the gear icon to edit the settings, then select Group Mapping Settings.
- For a Mobile Users—Explicit Proxy deployment, select , select the gear icon to edit the settings, then select Group Mapping Settings.
- For a remote network deployment, select , select the gear icon to edit the settings, then select Group Mapping Settings.
- Select Enable Directory Sync Integration to enable Cloud Identity Engine with Prisma Access.
- Enter the following information:
- Enter the Primary Username. This field is required.The Primary Username attribute controls the formatting that is used in logs and reporting. If the primary username attribute is userPrincipalName (UPN), all the log and reporting entries display the source user in that format. Many deployments use a format of either UPN, sAMAccountName, or mail. If your organization uses another attribute, you can specify it here to ensure consistency for logging and reporting across your organization.If you configure Azure AD or Okta Directory as the identity provider (IdP) in the Cloud Identity Engine, specify the Primary Username as userPrincipalName. Prisma Access supports the userPrincipalName (UPN) attribute that is used with Azure AD and Okta Directory.
- (Optional) Enter the E-Mail attribute (such as mail).
- (Optional) If you use alternate name attributes for the user, enter them. You can enter up to three alternate user names (Alternate User Name 1, Alternate User Name 2, and Alternate User Name 3).
- Click OK when complete.
- On the Panorama that manages Prisma Access,
select the username-to-user group mapping setting tab.
- Commit and push () your changes.
