Cloud Identity Engine

The Cloud Identity Engine consists of two components: Directory Sync, which provides user information, and the Cloud Authentication Service, which authenticates users. For a more comprehensive identity solution, Palo Alto Networks recommends using both components, but you can configure the components independently.
The Cloud Authentication Service uses a cloud-based service to provide user authentication using SAML 2.0-based Identity Providers (IdPs). When the user attempts to authenticate, the authentication request is redirected to the Cloud Authentication Service, which redirects the request to the IdP. After the IdP authenticates the user, the firewall maps the user and applies the security policy. By using a cloud-based solution, you can reallocate the resources required for authentication from the firewall or Panorama to the cloud. The Cloud Authentication Service also allows you to configure the authentication source once instead of for each authentication method you use (for example, Authentication Portal or administrator authentication).
Cloud Identity Engine support for user authentication with Prisma Access and GlobalProtect is planned for a future release.
You can now also sync directory changes to the Cloud Identity Engine, which quickly syncs only the recent changes to your directory and takes much less time than a full sync.
  1. Prepare to deploy the Cloud Identity Engine so that it can provide user mappings to the firewall.
    1. If you have not already done so, install the device certificate for your firewall or Panorama.
    2. Activate the Cloud Identity Engine app.
  2. Configure Azure Active Directory as your identity source in the Cloud Identity Engine app.
    In this release, the Cloud Identity Engine supports group mapping for Azure AD.
  3. Configure a Cloud Identity Engine profile on the firewall.
    The Cloud Identity Engine retrieves the information for your instance based on your device certificate and uses the Palo Alto Networks Services service route.
    1. On the firewall, select
      Device
      User Identification
      Cloud Identity Engine
      and
      Add
      a profile.
    2. For the
      Instance
      , specify each of the following:
      • Region
        —Select the regional endpoint for your instance.
        The region you select must match the region you select when you activate your Cloud Identity Engine instance.
      • Cloud Identity Engine Instance
        —If you have more than one instance, select the instance you want to use.
      • Domain
        —Select the domain that contains the directories you want to use.
      • Update Interval (min)
        —Enter the number of minutes that you want the firewall to wait between updates. The default is 60 minutes and the range is 1—1440.
    3. Verify that the profile is
      Enabled
      .
    4. For the
      User Attributes
      , select the format for the
      Primary Username
      . You can optionally select the formats for the
      E-Mail
      and an
      Alternate Username
      . You can configure up to three alternate username formats if your users log in using multiple username formats.
    5. For the
      Group Attributes
      , select the format for the
      Group Name
      .
    6. For the
      Device Attributes
      , select the
      Endpoint Serial Number
      .
      If you are using GlobalProtect and you have enabled Serial Number Check, select the Endpoint Serial Number option to allow the Cloud Identity Engine to collect serial numbers from managed endpoints. This information is used by the GlobalProtect portal to check if the serial number exists in the directory for verification that the endpoint is managed by GlobalProtect.
    7. Click
      OK
      then
      Commit
      your changes.
  4. Configure security policy rules for your users (for example, by specifying one or more users or groups that the firewall retrieves from the Cloud Identity Engine as the
    Source User
    ).
    The firewall collects attributes only for the users and groups that you use in security policy rules, not all users and groups in the directory.
  5. Verify that the firewall has the mapping information from the Cloud Identity Engine.
    1. On the client device, use the browser to access a web page that requires authentication.
    2. Enter your credentials to log in.
    3. On the firewall, use the
      show user ip-user-mapping all
      command to verify that the mapping information is available to the firewall.
  6. If you make changes to the directory that you configure in the Cloud Identity Engine,
    Sync Changes
    for your directory.
    By default, the Cloud Identity Engine syncs changes every five minutes. If you want to instantly sync your directory updates, you can sync just the changes to your Azure Active Directory (Azure AD) or on-premises AD, which is much faster than a full sync of your directory.
    Palo Alto Networks recommends a full sync of your directory if you lose connectivity or are experiencing issues. To sync the entire directory, select
    Actions
    Full Sync
    . If a full sync is in progress, you cannot sync changes. After a full sync in the Cloud Identity Engine app, the firewall must also complete a full sync.
  7. Configure an identity provider (IdP) for the Cloud Identity Engine for user authentication.
  8. Configure an Authentication profile to use the Cloud Authentication Service.
  9. Configure an Authentication policy that uses this Authentication profile.
  10. Verify that the firewall redirects authentication requests to the Cloud Authentication Service.
    1. On the client device, use the browser to access a web page that requires authentication.
    2. Enter your credentials to log in.
    3. Confirm that the access request redirects to the Cloud Authentication Service.

Recommended For You