Cloud Identity Engine Getting Started
    : Configure an OIDC Authentication Type
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud Identity
    3. Cloud Identity Engine Getting Started
    4. Authenticate Users with the Cloud Identity Engine
    5. Configure an OIDC Authentication Type
    Download PDF

    Cloud Identity Engine Getting Started

    Configure an OIDC Authentication Type

    Table of Contents

    Configure an OIDC Authentication Type

    Learn how to configure OpenID Connect (OIDC) as an authentication type for the Cloud Identity Engine.
    OpenID Connect (OIDC) provides additional flexibility for your Cloud Identity Engine deployment. By supporting single-sign on (SSO) across multiple applications, OIDC simplifies authentication for users, allowing them to log in once with the OIDC provider to access multiple resources without needing to log in repeatedly.
    The OIDC authentication type supports the Prisma Access Browser. It does not support GlobalProtect or Authentication Portal.
    To configure an OpenID Connect (OIDC) provider as an authentication type in the Cloud Identity Engine, complete the following steps for your identity provider (IdP) type.
    When you configure OIDC as an authentication type, the Cloud Identity Engine determines the username attribute using the following order (where if the current attribute is not found, the Cloud Identity Engine attempts to match using the next attribute in the list):
    1. email
    2. preferred_username
    3. username
    4. sub

    Configure OIDC for Azure

    1. Set up OIDC as an authentication type in the Cloud Identity Engine.
      1. Select AuthenticationAuthentication TypesAdd New Authentication Type.
      2. Set Up the OIDC authentication type.
      3. Enter a unique and descriptive Authentication Type Name for your OIDC configuration.
      4. Copy the Callback URL/ Redirect URL.
    2. Configure Azure to use OIDC with the Cloud Identity Engine.
      1. Log in to the Azure account you want to use to connect to the Cloud Identity Engine.
      2. Click App registration.
      3. Click New registration.
      4. Enter a Name for the application.
      5. Select Accounts in this organizational directory only.
      6. For the Redirect URI, enter the domain for your Cloud Identity Engine instance and append oidc/callback
      7. Click Register to submit the configuration.
      8. Click Add user/group and add the users or groups you want to be able to configure OIDC as an authentication type (for example, service accounts).
    3. Obtain the information you need to complete your OIDC Azure configuration.
      1. Select the application you just created then click Overview.
      2. Copy the Display name and Application (client) ID and save them in a secure location.
      3. Click Add a certificate or secret.
        Do not allow the client secret to expire. If the client secret is not up to date, users cannot log in using OIDC.
      4. Select Client secrets then click New client secret.
        Do not allow the client secret to expire. If the client secret is not up to date, users cannot log in using OIDC.
      5. Select when the secret Expires then click Add.
        Do not allow the client secret to expire. If the client secret is not up to date, users cannot log in using OIDC.
      6. Copy the Value of the client secret and save them in a secure location.
        Because the secret displays only once, be sure to copy the information before closing or leaving the page. Otherwise, you must create a new secret.
        Do not allow the client secret to expire. If the client secret is not up to date, users cannot log in using OIDC.
      7. (Optional) Select OverviewEndpoints and Copy the OpenID Connect metadata document up to /2.0 (the well-known/openid-configuration section of the URL isn't necessary).
    4. Complete and submit the OIDC configuration.
      1. Enter the Display name you copied from Azure in step 3.2 as the Client Name.
      2. Enter the Client ID you copied from Azure in step 3.6.
      3. Enter the Value you copied from Azure in step 3.7 as the Client Secret.
      4. Enter https://login.microsoftonline.com/organizations/2.0/ as the Issuer URL.
      5. (Optional) Enter the Endpoint URL you copied in step 3.7.
      6. Click Test Connection and log in to confirm that the Cloud Identity Engine can reach your Azure IdP using OIDC.
        If you did not enter the OIDC Issuer URL in the previous step, the Cloud Identity Engine automatically populates the information.
      7. After confirming that the connection is successful, Submit the configuration.
        You can now use OIDC as an authentication type when you Set Up an Authentication Profile.

    Configure OIDC for Okta

    1. Set up OIDC as an authentication type in the Cloud Identity Engine.
      1. Select AuthenticationAuthentication TypesAdd New Authentication Type.
      2. Set Up the OIDC authentication type.
      3. Enter a unique and descriptive Authentication Type Name for your OIDC configuration.
      4. Copy the Callback URL/ Redirect URL.
    2. Configure Okta to use OIDC with the Cloud Identity Engine.
      1. Sign in to Okta.
      2. Select ApplicationsApplications.
      3. Click Create App Integration.
      4. Select OIDC - OpenID Connect as the Sign-in method and Web Application as the Application Type then click Next.
      5. Enter an App integration name.
      6. Click Add URI and enter the information you copied in step 1.4.
      7. Select the Controlled Access you want to allow then click Save.
    3. Obtain the information you need to complete your OIDC Okta configuration.
      1. Copy the Client ID.
      2. Copy the Secret.
        The secret for Okta does not expire.
    4. Complete and submit the OIDC configuration.
      1. Enter the App integration name you entered in Okta in step 2.5 as the Client Name.
      2. Enter the Client ID you copied from Okta in step 3.1.
      3. Enter the Secret you copied from Okta in step 3.2 as the Client Secret.
      4. Enter the domain name URL for your Okta IdP as the Issuer URL.
      5. (Optional) If you have your Endpoint URL, enter it here. If not, continue to the next step (the Cloud Identity Engine populates the Endpoint URL automatically after you successfully test the connection).
      6. Click Test Connection and log in to confirm that the Cloud Identity Engine can reach your Okta IdP using OIDC.
        If you did not enter the OIDC Issuer URL in the previous step, the Cloud Identity Engine automatically populates the information.
      7. After confirming that the connection is successful, Submit the configuration.
        You can now use OIDC as an authentication type when you Set Up an Authentication Profile.

    Configure OIDC for PingOne

    1. Set up OIDC as an authentication type in the Cloud Identity Engine.
      1. Select AuthenticationAuthentication TypesAdd New Authentication Type.
      2. Set Up the OIDC authentication type.
      3. Enter a unique and descriptive Authentication Type Name for your OIDC configuration.
      4. Copy the Callback URL/ Redirect URL.
    2. Configure PingOne to use OIDC with the Cloud Identity Engine.
      1. Sign On to your PingOne account.
      2. Select Applications.
      3. Select OIDC then click Add Application.
      4. Select Web App then click Next.
      5. Enter an Application Name, a Short Description for the app, and select the app Category, then click Next.
    3. Continue the OIDC Okta configuration.
      1. Click Add Secret then click Next.
      2. Enter the Start SSO URL and the Redirect URIs then click Next.
      3. Click Next.
        No configuration changes are necessary for this step.
      4. Add all the scopes in the List of Scopes to the Connected Scopes then click Next.
      5. Select Email (Work) as the sub attribute then click Next.
      6. Select all the Available Groups and add them to the Added Groups then click Done.
    4. Obtain the information you need to complete your OIDC PingOne configuration and enter it in your Cloud Identity Engine configuration.
      1. Copy the following information from your configuration and save it in a secure location:
        • The Application Name you entered in step 2.5.
        • The Client ID and Client Secrets you added in step 3.1.
          Do not allow the client secret to expire. If the client secret is not up to date, users cannot log in using OIDC.
        • The Issuer URL (as shown below).
      2. Enter the Application Name you entered in PingOne in step 2.5 as the Client Name.
      3. Enter the Client ID you created in PingOne in step 3.1.
      4. Enter the Client Secrets you created in PingOne in step 3.1 as the Client Secret.
      5. Enter the Issuer URL for your PingOne IdP that you copied in step 4.1 as the Issuer URL.
      6. (Optional) If you have your Endpoint URL, enter it here. If not, continue to the next step (the Cloud Identity Engine populates the Endpoint URL automatically after you successfully test the connection).
      7. Click Test Connection and log in to confirm that the Cloud Identity Engine can reach your PingOne IdP using OIDC.
        If you did not enter the OIDC Issuer URL in the previous step, the Cloud Identity Engine automatically populates the information.
      8. After confirming that the connection is successful, Submit the configuration.
        You can now use OIDC as an authentication type when you Set Up an Authentication Profile.

    Configure OIDC for Google

    1. Set up OIDC as an authentication type in the Cloud Identity Engine.
      1. Select AuthenticationAuthentication TypesAdd New Authentication Type.
      2. Set Up the OIDC authentication type.
      3. Enter a unique and descriptive Authentication Type Name for your OIDC configuration.
      4. Copy the Callback URL/ Redirect URL.
    2. Configure Google to use OIDC with the Cloud Identity Engine.
      1. Select your account and Enter your password then click Next.
      2. Create a new project or select an existing project.
      3. Enable the Identity and Access Management (IAM) API (if it's not already enabled).
      4. Select APIs & ServicesOAuth consent screen then configure the OAuth consent screen.
      5. Create your OAuth 2.0 credentials, copy the Client ID and Client Secret, and store them in a secure location.
        Do not allow the client secret to expire. If the client secret is not up to date, users cannot log in using OIDC.
    3. Obtain the information you need to complete your OIDC Google configuration and enter it in your Cloud Identity Engine configuration.
      1. Copy the following information from your configuration and save it in a secure location:
        • The Name you entered in step 2.4.
        • The Client ID and Client secret you copied in step 2.5 (if you did not do so in the previous step).
        • The Authorized redirect URIs you copied in step 1.4.
      2. Enter the application name you entered in step 2.4 as the Client Name.
      3. Enter the Client ID you copied in step 2.5.
      4. Enter the Client Secret you copied in step 2.5.
      5. Enter the Authorized redirect URIs that you copied in step 1.4 as the Issuer URL.
      6. (Optional) If you have your Endpoint URL, enter it here. If not, continue to the next step (the Cloud Identity Engine populates the Endpoint URL automatically after you successfully test the connection).
      7. Click Test Connection and log in to confirm that the Cloud Identity Engine can reach your Google IdP using OIDC.
        If you did not enter the OIDC Issuer URL in the previous step, the Cloud Identity Engine automatically populates the information.
      8. After confirming that the connection is successful, Submit the configuration.
        You can now use OIDC as an authentication type when you Set Up an Authentication Profile.

    © 2024 Palo Alto Networks, Inc. All rights reserved.