Get User and Group Information Using the Cloud Identity Engine
Use the Cloud Identity Engine to retrieve user and group
information for Prisma Access.
Prisma Access retrieves user and group information
from your organization’s cloud directory or Active Directory (AD)
to enforce user- and group-based policy. You can simplify the retrieval
of user and group information by using the Cloud Identity Engine.
In
addition to simplifying user and group information retrieval, integrating
the Cloud Identity Engine with Prisma Access can free up the bandwidth
and load on your cloud directory or AD. Without Cloud Identity Engine
integration, all the remote networks and mobile users nodes in your
Prisma Access deployment, including nodes in a Mobile Users—GlobalProtect
and Mobile Users—Explicit Proxy deployment, individually communicate
with your cloud directory or AD using the service connection.
You
can use the Cloud Identity Engine to retrieve user and group information
for Prisma Access for mobile users, remote networks, or both, by
completing the following steps.
The Cloud Identity Engine
integration with Prisma Access has the following implementation
restrictions:
- Make sure that the groups you use with Cloud Identity Engine do not have any of the following special characters, because Prisma Access does not support the use of following special characters in groups and commit operations will fail:
- " (Double quotes)
- ' (Apostrophe)
- < (less than sign)
- > (greater than sign)
- & (ampersand)
- If you associate Cloud Identity Engine with Prisma Access, your user names must use the NetBIOS format that includes the domain. You can specify usernames in email format (username@domain),NetBIOS\sAMAccountNameformat, or User Principal Name (UPN) format (username@domain.com).
- Group names must be in thedistinguishedNameformat (for example,CN=Users,CN=Builtin,DC=Example,DC=com).
- Cloud Identity Engine does not apply any settings you specify in the group include list (); instead, it retrieves user and group information from your entire configuration, including groups used in all device groups and templates.
- Create a Cloud Identity Engine instance for Prisma Access, and make a note of the instance name.When you activate the Cloud Identity Engine, it creates an instance. You use the instance name when you associate the Cloud Identity Engine with Prisma Access in a later step. Optionally, if you need to create a separate instance for Prisma Access, create it and make a note of the instance name.
- Configure the Cloud Identity Engine to retrieve your directory data.
- (Deployments with on-premises Active Directory only) If you use an on-premises Active Directory, Install and configure the Cloud Identity Agent to communicate with your on-premises AD and configure mutual authentication between the Cloud Identity Engine service and the agent.
- Associate the Cloud Identity Engine with the Panorama app.
- Log in to the hub, click the gear icon to edit theSettings, thenManage Apps.
- Select the Panorama app.
- Select theCloud Identity Engineinstance you want to associate with the app and clickOK.
- Associate the Panorama that manages Prisma Access with Cloud Identity Engine in the hub.Using the Cloud Identity Engine with Prisma Access is not supported in a multitenant environment.
- Find the serial number of the Panorama that manages Prisma Access by selecting theDashboardand noting theSerial #that displays.
- Log in to the Palo Alto Networks hub and selectPanorama.
- Find the serial number of the Panorama that manages Prisma Access, select it, then selectAdd Directory Sync.
- Enter theDirectory Syncinstance you retrieved in Step 1.You do not need to select theRegion; the Cloud Identity Engine uses the same region that Prisma Access uses for Cortex Data Lake.
- ClickOKwhen complete.
- (Optional) If you need to edit an existing Cloud Identity Engine instance after you create it, selectPrisma Access - DirSync Mapping, select the Panorama’s serial number, selectEdit, and enter the following information in the window that displays:
- Enter aNamefor the Cloud Identity Engine - Prisma Access mapping.
- Optionally, enter aDescriptionfor the mapping.
- Select theDirectory Syncinstance name that you noted in Step 1.
TheRegionandSerial Numberfields populate automatically.
- Enable the Cloud Identity Engine on Prisma Access.
- On the Panorama that manages Prisma Access, select one of the following tabs:.
- To configure Cloud Identity Engine for Prisma Access for mobile users, select or , select the gear icon to edit the settings, then selectGroup Mapping Settings.
- To configure Cloud Identity Engine for Prisma Access for remote networks, select , select the gear icon to edit the settings, then selectGroup Mapping Settings.
- SelectEnable Directory Sync Integrationto enable Cloud Identity Engine with Prisma Access.
- Enter the following information:
- Enter thePrimary Username(the logon name attribute for the user, such asuserPrincipalNameorsAMAccountName). This field is required.
- (Optional) Enter theE-Mailattribute (such asmail).
- (Optional) If you use alternate name attributes for the user, enter them. You can enter up to three alternate user names (Alternate User Name 1,Alternate User Name 2, andAlternate User Name 3).
- ClickOKwhen complete.
- Commit and push () your changes.
