Get User and Group Information Using the Cloud Identity Engine
Use the Cloud Identity Engine to retrieve user and group
information for Prisma Access.
Prisma Access retrieves user and group information
from your organization’s cloud directory or Active Directory (AD)
to enforce user- and group-based policy. You can simplify the retrieval
of user and group information by using the Cloud Identity Engine.
In
addition to simplifying user and group information retrieval, integrating
the Cloud Identity Engine with Prisma Access can free up the bandwidth
and load on your cloud directory or AD. Without Cloud Identity Engine
integration, all the remote networks and mobile users nodes in your
Prisma Access deployment, including nodes in a Mobile Users—GlobalProtect
and Mobile Users—Explicit Proxy deployment, individually communicate
with your cloud directory or AD using the service connection.
You
can use the Cloud Identity Engine to retrieve user and group information
for Prisma Access for mobile users, remote networks, or both, by
completing the following steps.
The Cloud Identity Engine
integration with Prisma Access has the following implementation
restrictions:
Make sure that the groups you use with
Cloud Identity Engine do not have any of the following special characters,
because Prisma Access does not support the use of following special
characters in groups and commit operations will fail:
"
(Double quotes)
' (Apostrophe)
< (less than sign)
> (greater than sign)
& (ampersand)
If you associate Cloud Identity Engine with Prisma Access,
your user names must use the NetBIOS format that includes the domain.
You can specify usernames in email format (
username
@
domain
),
NetBIOS\sAMAccountName
format,
or User Principal Name (UPN) format (
username
@
domain
.com).
Group names must be in the
distinguishedName
format
(for example,
CN=Users,CN=Builtin,DC=Example,DC=com
).
Cloud Identity Engine does not apply any settings you specify
in the group include list (
Device
User Identification
Group Mapping Settings
Group Include List
);
instead, it retrieves user and group information from your entire configuration,
including groups used in all device groups and templates.
When you activate the Cloud Identity Engine,
it creates an instance. You use the instance name when you associate
the Cloud Identity Engine with Prisma Access in a later step. Optionally, if
you need to create a separate instance for Prisma Access, create
it and make a note of the instance name.
Deployments with on-premises Active Directory only
)
If you use an on-premises Active Directory, Install and configure the Cloud
Identity Agent to communicate with your on-premises AD and
configure mutual authentication between the Cloud Identity Engine
service and the agent.
Enable the Cloud Identity Engine on Prisma Access.
On the Panorama that manages Prisma Access,
select one of the following tabs:.
To configure Cloud Identity Engine for a Mobile
Users—GlobalProtect deployment, select
Panorama
Cloud Services
Configuration
Mobile Users—GlobalProtect
or
Panorama
Cloud Services
Configuration
Mobile Users—Explicit
Proxy
, select the gear icon to edit the
settings, then select
Group Mapping Settings
.
To configure Cloud Identity Engine for Prisma Access for
a remote network deployment, select
Panorama
Cloud Services
Configuration
Remote Networks
, select the
gear icon to edit the settings, then select
Group Mapping
Settings
.
Select
Enable Directory Sync Integration
to
enable Cloud Identity Engine with Prisma Access.
Enter the following information:
Enter the
Primary Username
(the
logon name attribute for the user, such as
userPrincipalName
or
sAMAccountName
).
This field is required.
Prisma Access supports the userPrincipalName
(UPN) attribute that is used with Azure AD and Okta Directory. If
you configure Azure or Okta as the identity provider
(IdP) in the Cloud Identity Engine, specify the
Primary
Username
as
userPrincipalName
.
(
Optional
) Enter the
E-Mail
attribute
(such as
mail
).
(
Optional
) If you use alternate name attributes
for the user, enter them. You can enter up to three alternate user
names (