: Learn About the Cloud Identity Engine
Focus
Focus

Learn About the Cloud Identity Engine

Table of Contents

Learn About the Cloud Identity Engine

Learn about the components of the Cloud Identity Engine.
The Cloud Identity Engine provides both user identification and user authentication for a centralized cloud-based solution in on-premise, cloud-based, or hybrid network environments. The Cloud Identity Engine allows you to write security policy based on users and groups, not IP addresses, and helps secure your assets by enforcing behavior-based security actions.
It also provides the flexibility to adapt to changing security needs and users by making it simpler to configure an identity source or provider in a single unified source of user identity, allowing scalability as needs change.
By continually syncing the information from your directories, whether they are on-premise, cloud-based, or hybrid, ensures that your user information is accurate and up to date and policy enforcement continues based on the mappings even if the cloud identity provider is temporarily unavailable.
To provide user, group, and computer information for policy or event context, Palo Alto Networks cloud-based applications and services need access to your directory information. The Cloud Identity Engine, a secure cloud-based infrastructure, provides Palo Alto Networks apps and services with read-only access to your directory information for user visibility and policy enforcement.
The components of the Cloud Identity Engine deployment vary based on whether the Cloud Identity Engine is accessing an on-premises directory (such as Active Directory) or a cloud-based directory (such as Azure Active Directory).
The authentication component of the Cloud Identity Engine allows you to configure a profile for a SAML 2.0-compliant identity provider (IdP) that authenticates users by redirecting their access requests through the IdP before granting access. You can also configure a client certificate for user authentication. When you configure an Authentication policy and the Authentication Portal on the Palo Alto Networks firewall, users must log in with their credentials before they can access the resource.

On-Premises Directory Configuration

To use the Cloud Identity Engine with an on-premises Active Directory or OpenLDAP-based directory, you need:
  • to install the Cloud Identity agent on a Windows server (the agent host) and configure it to connect to your on-premises directory and the Cloud Identity Engine.
  • access to the Cloud Identity Engine app on the hub so you can manage your Cloud Identity Engine tenants and Cloud Identity agents.
To collect attributes from your on-premises directory, install the Cloud Identity agent on an on-premises Windows server that meets the Cloud Identity Engine system requirements. The agent collects the attributes initially during tenant setup and then once every five minutes (based on the system time on the agent host) if a sync is not already in progress, syncing them with the Cloud Identity Engine so that your directory information is available to your Palo Alto Networks apps and services.
To collect attributes from your on-premises directory and synchronize them with the Cloud Identity Engine:
  • The agent can use TLS 1.1, TLS 1.2, or TLS 1.3 to communicate with the Cloud Identity Engine to synchronize your attributes so that your directory information is available to your associated Cortex apps and services.
  • The agent host can use TLS 1.1, TLS 1.2, or TLS 1.3 to communicate with the on-premises directory to collect the attributes.
We strongly recommend that you configure TLS 1.3 for all Cloud Identity Engine traffic. Version 1.7.0 and later versions of the agent use the latest TLS version by default.
To ensure secure transmission for the attributes, the data is encrypted end-to-end during transmission to the Cloud Identity Engine and on the agent host. The Cloud Identity Engine locally encrypts all agent data and immediately removes the encrypted local data after transmission is complete.
To set up the Cloud Identity Engine, you will need to log in the Cloud Identity Engine app on the hub to generate a certificate to Authenticate the Agent and the Cloud Identity Engine and configure other aspects of the Cloud Identity Engine.

Cloud-Based Directory Configuration

To use the Cloud Identity Engine with a cloud-based directory such as Azure Active Directory (Azure AD), you must grant permission for the Cloud Identity Engine to access your directory when you Configure a Cloud-Based Directory for the Cloud Identity Engine. You do not need to install or configure a Cloud Identity agent to collect attributes from a cloud-based directory.

User Authentication with Identity Providers

To authenticate users, configure a profile for a SAML 2.0-compliant identity provider (IdP) such as Google, Azure, Okta, PingOne, or PingFederate in the Cloud Identity Engine.
On the firewall, configure an Authentication policy that requires users to log in using Authentication Portal to access resources such as the internet. When the firewall receives this type of request, it redirects the request to the Cloud Identity Engine, which reroutes the request to the IdP you configure.
After the user logs in successfully, the firewall grants access to the resource. The Cloud Identity Engine provides flexibility as a user identity management solution by allowing you to configure multiple types of IdPs and making it easier to scale them as needs change.

User Authentication with a Client Certificate

You can configure a client certificate using a certificate authority (CA) chain in addition to SAML 2.0 authentication or as an alternate method for user authentication. CIE supports grouping multiple CA chains in a certificate type, which can be used to authenticate client certificates issued by multiple CA chains.