Learn how to deploy the Cloud Identity Engine for user authentication by configuring a SAML 2.0-based identity provider (IdP), a client certificate and certificate authority (CA) chain, or both. Beyond these standard methods, the service also supports OpenID Connect (OIDC) providers and direct Password Authentication for users managed within a Cloud Identity Engine directory. This flexibility allows you to integrate with major identity services like Microsoft Entra ID (Azure AD), Okta, Google, PingOne, and PingFederate, or generic SAML 2.0 compliant providers, ensuring a seamless login experience across your organization.

After specifying how you want to authenticate your users, set up your authentication profile to define your authentication security policy. This profile acts as the logic layer, enabling you to implement multi-authentication strategies where you can assign different authentication methods to specific user groups or directories within a single configuration. For example, you might require certificates for managed devices while prompting contractors for SAML credentials, all managed through one central policy.

Once your profile is set up, the next step is to tell your firewall or management tool (Panorama or Strata Cloud Manager) to use it. By linking your management interface to this cloud-based profile, you separate your security settings from the technical details of your login provider. This means you can update certificates or change settings in the cloud without having to manually reconfigure every device in your network.

Next, set the Cloud Identity Engine as the source for user and group information. This allows your security rules to automatically adapt whenever users change roles or departments, enforcing policies based on who the user is rather than their IP address. This method shifts the heavy lifting of verifying identities from your physical hardware to the cloud, making your network more efficient and easier to manage.