>
    Strata Copilot
    Configure Idira as an IdP in the Cloud Identity Engine
    Focus
    Download PDF
    Focus
    1. Home
    2. Identity
    3. Authenticate Users with the Cloud Identity Engine
    4. Set Up a SAML 2.0 Authentication Type
    5. Configure Idira as an IdP in the Cloud Identity Engine
    Download PDF
    Identity

    Configure Idira as an IdP in the Cloud Identity Engine

    Table of Contents

    Configure Idira as an IdP in the Cloud Identity Engine

    Set up the Cloud Identity Engine integration with Idira.
    Where Can I Use This?What Do I Need?
    • GlobalProtect
    • NGFW and Panorama
    • Prisma Access
    • Active Cloud Identity Engine account with required administrator rights
    • Cloud Identity Engine users who will access the Idira Identity User Portal through SSO have been added to Idira
    • PAN-OS 11.2 and later
    Configure Idira Identity (formerly CyberArk Identity) as a SAML 2.0 IdP (identity provider) in the Cloud Identity Engine.
    Keep the Cloud Identity Engine and Idira Identity Admin portal windows open simultaneously to copy and paste settings between the two browser windows.
    1. Log in to the Cloud Identity Engine app.
    2. Add Idira as an authentication type.
      1. Select AuthenticationAuthentication Types, and then click Add New Authentication Type.
      2. Set Up a SAML 2.0 authentication type.
      3. For Metadata Type, select Single service provider metadata.
      4. Copy the EntityID and Assertion Consumer Service URL, and then click Download SP Certificate to save a copy of the service provider certificate.
        Alternatively, you can Download SP Metadata.
        Save this information in a secure place. You will need it to complete the service provider configuration in Idira Identity Administration portal.
    3. Configure an Identity Provider Profile.
      1. For Profile Name, enter Idira.
      2. For Identity Provider Vendor, select Idira.
      3. Add Metadata manually or using the IdP metadata file from Idira.
        To acquire the metadata, complete up to step 3.b in Configure the Cloud Identity Engine Template for SSO in Idira.
        • To enter the metadata, select Enter Manually, and then provide the following:
          • Identity Provider ID—The IdP Entity ID / Issuer from Idira
          • Identity Provider Certificate—Upload the Signing Certificate from Idira
          • Identity Provider SSO URL—The Single Sign On URL from Idira
        • To upload the IdP metadata file, select Upload Metadata, and then drag and drop the file or Browse files.
      4. (Optional) Select an HTTP Binding for SSO Request to Identity Provider method to use for the SAML binding.
        This allows the firewall and IdP to exchange request and response messages.
        • HTTP Redirect—Transmit SAML messages through URL parameters
        • HTTP Post—Transmit SAML messages using base64-encoded HTML
      5. Specify the Maximum Clock Skew (seconds) (default is 60; range is 1–900).
        Maximum Clock Skew is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages. If the difference exceeds this value, authentication fails.
      6. (Optional) Force Authentication.
        When you enable this option, Idira prompts users for credentials for every authentication attempt, even if they have an active single sign-on (SSO) session.
    4. Verify your Identity Provider profile configuration.
      This step confirms that your NGFW and Idira can communicate.
      If you do not provide the vendor information, the SAML test passes so you can still submit the configuration.
      1. In the Test SAML and Attributes section, click Test SAML Setup.
        This redirects you to the Idira Identity Provider settings and initiates testing. After successful authentication, the configured username and any other IdP attributes populate in the Test SAML and Attributes window. Only the UserName attribute is mandatory.
      2. Submit your changes.
    5. Set up an Authentication profile to define how the Cloud Identity Engine authenticates users.

    Configure the Cloud Identity Engine Template for SSO in Idira

    Configure the Cloud Identity Engine application template in the Idira Identity Administration portal to enable service provider-initiated and identity provider-initiated single sign-on (SSO) to the Idira Identity User Portal.
    1. Log in to the Idira Identity Administration portal.
    2. Add the Cloud Identity Engine web app template.
      1. Select Apps & WidgetsWeb Apps, and then click Add Web Apps.
      2. Search for Palo Alto Networks CIE, and then click Add.
      3. Add the Palo Alto Networks CIE web app, and then click Yes to confirm.
      4. Close the app catalog.
        The Palo Alto Networks CIE template opens to its prepopulated Settings page.
    3. Configure Trust settings.
      1. On the sidebar, select Trust.
      2. In the Identity Provider Configuration section, collect the Idira Identity metadata.
        Save the metadata in a secure location. You will need this information to configure the Identity Provider Profile in the Cloud Identity Engine app.
        • To populate the profile using an IdP metadata file, select Metadata, and then click Download Metadata File.
        • To enter the metadata, select Manual Configuration. Copy the IdP Entity ID / Issuer and Single Sign On URL, and then Download the Signing Certificate.
      3. In the Service Provider Configuration section, provide the Cloud Identity Engine metadata.
        • To use the SP metadata file, select Metadata, and then upload the File you downloaded from the Cloud Identity Engine.
          The metadata auto-populates.
        • To enter the SP metadata, select Manual Configuration, and then provide the following:
          • SP Entity ID / SP Issuer / Audience—The Entity ID from the Cloud Identity Engine
          • Assertion Consumer Service (ACS) URL—The Assertion Consumer Service URL from the Cloud Identity Engine
      4. Validate the metadata, and then Save the configuration.
    4. Configure the SAML response.
      1. On the sidebar, select SAML Response.
      2. In the Attributes section, verify that the Attribute Name maps to the correct Attribute Value.
        Specifically, verify that the Login Attribute Name maps to the LoginUser.Email Attribute Value.
        Attributes are case-sensitive.
      3. (Optional) To map other attributes you want to pass in the SAML response, click Add.
      4. Save the configuration.
    5. Define permissions for Cloud Identity Engine users, groups, or roles who will access the Idira Identity User Portal.
      Assigning permissions grants SSO access to the selected users, groups, or roles.
      One user must be an administrator who is mapped to the attribute. The user must already exist in CLICDATA.
      1. On the sidebar, select Permissions, and then click Add.
      2. Select the users, groups, or roles to grant SSO access, and then click Add.
        The added object appears on the Permissions page with View, Run, and Automatically Deploy permissions selected by default.
      3. Enable permissions for each user, group, or role, and then click Save.
        You can change the permissions to add additional control or if you prefer not to automatically deploy the application.
    6. Review the settings, and then Save your configuration.
    7. Test the Cloud Identity Engine SSO configuration.
      • To test IdP-initiated SSO:
        1. Sign in to the Idira Identity User Portal with a user account you just added.
        2. Click the Palo Alto Networks CIE application tile to launch the Cloud Identity Engine in a new tab and automatically sign in.
      • To test SP-initiated SSO:
        1. Visit your organization's Cloud Identity Engine SSO URL.
        2. Sign in with your Identity Provider.
          This redirects you to the Idira Identity User Portal. After successfully authenticating to the IdP, you are redirected back to the Cloud Identity Engine.

    © 2026 Palo Alto Networks, Inc. All rights reserved.