0% found this document useful (0 votes)

675 views

Cloud Identity Engine Getting Started

This document provides information about setting up and using Palo Alto Networks' Cloud Identity Engine. It includes sections on getting started with the Cloud Identity Engine, choosing and configuring different types of directories for user data, managing the Cloud Identity Engine application and users, managing the Cloud Identity Agent, associating the Cloud Identity Engine with Palo Alto Networks applications, and configuring user authentication methods.

Uploaded by

Deepak Varghese

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

675 views

Cloud Identity Engine Getting Started

Uploaded by

Deepak Varghese

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 382

Cloud Identity Engine Getting Started

November 2023

docs.paloaltonetworks.com
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support

About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
documentation@paloaltonetworks.com.

© 2018-2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Last Revised
October 27, 2023

Cloud Identity Engine Getting Started November 2023 2 ©2023 Palo Alto Networks, Inc.
Table of Contents
Get Started with Cloud Identity Engine....................................................... 7
Learn About the Cloud Identity Engine................................................................................. 8
On-Premises Directory Configuration........................................................................ 8
Cloud-Based Directory Configuration.........................................................................9
User Authentication with Identity Providers.............................................................9
User Authentication with a Client Certificate...........................................................9
Plan Your Cloud Identity Engine Deployment................................................................... 10
Configure Your Network to Allow Cloud Identity Agent Traffic........................10
Configure Domains for the Cloud Identity Engine................................................ 11
Activate the Cloud Identity Engine.......................................................................................13
Manage Cloud Identity Engine App Roles.......................................................................... 18
Set Up the Cloud Identity Engine......................................................................................... 20

Choose Your Directory Type........................................................................ 21

Configure an On-Premises Directory...................................................................................22
Install the Cloud Identity Agent.................................................................................22
Configure the Cloud Identity Agent..........................................................................25
Authenticate the Agent and the Cloud Identity Engine....................................... 32
Configure a Cloud-Based Directory..................................................................................... 34
Configure Azure Active Directory............................................................................. 34
Configure Okta Directory............................................................................................71
Configure Google Directory........................................................................................97
Configure SCIM Connector for the Cloud Identity Engine............................... 109

Manage the Cloud Identity Engine App.................................................. 165

Cloud Identity Engine Tenants............................................................................................ 166
Create Cloud Identity Engine Tenants...................................................................166
View Cloud Identity Engine Tenants......................................................................170
Synchronize Cloud Identity Engine Tenants.........................................................173
Rename Cloud Identity Engine Tenants................................................................ 181
Delete Cloud Identity Engine Tenants...................................................................183
Delete Domains or Directories from Cloud Identity Engine Tenants............. 185
Cloud Identity Engine Attributes........................................................................................ 188
On-Premises Active Directory................................................................................. 188
Azure Active Directory.............................................................................................. 192
SCIM Directory............................................................................................................ 197
Okta Directory............................................................................................................. 199
Google Directory......................................................................................................... 201
On-Premises OpenLDAP........................................................................................... 204

Cloud Identity Engine Getting Started November 2023 3 ©2023 Palo Alto Networks, Inc.
Table of Contents

Collect Custom Attributes with the Cloud Identity Engine.......................................... 208

View Directory Data.............................................................................................................. 211
Cloud Identity Engine User Context.................................................................................. 220
Create a Cloud Dynamic User Group................................................................................ 247
Configure Third-Party Device-ID........................................................................................259
Configure an IP Tag Cloud Connection............................................................................ 266

Manage the Cloud Identity Agent.............................................................273

Configure Cloud Identity Agent Logs................................................................................ 274
Search Cloud Identity Agent Logs.......................................................................... 274
Clear Cloud Identity Agent Logs............................................................................. 275
Update the Cloud Identity Agent....................................................................................... 276
Start or Stop the Connection to the Cloud Identity Engine......................................... 278
Remove the Cloud Identity Agent......................................................................................279
Manage Cloud Identity Engine Certificates......................................................................280
Revoke Cloud Identity Agent Certificates.............................................................281
Delete Obsolete Cloud Identity Agent Certificates............................................ 282

Associate the Cloud Identity Engine with Palo Alto Networks

Apps.................................................................................................................. 285
Associate the Cloud Identity Engine During Activation................................................ 286
Associate the Cloud Identity Engine with an Existing App...........................................287

Authenticate Users with the Cloud Identity Engine............................. 289

Configure a SAML 2.0 Authentication Type....................................................................290
Configure Azure as an IdP in the Cloud Identity Engine................................... 291
Configure Okta as an IdP in the Cloud Identity Engine..................................... 300
Configure PingOne as an IdP in the Cloud Identity Engine.............................. 310
Configure PingFederate as an IdP in the Cloud Identity Engine...................... 323
Configure Google as an IdP in the Cloud Identity Engine................................. 330
Configure a Client Certificate..............................................................................................340
Set Up an Authentication Profile........................................................................................346
Configure Cloud Identity Engine Authentication on the Firewall or Panorama....... 358
Configure the Cloud Identity Engine as a Mapping Source on the Firewall or
Panorama.................................................................................................................................. 364

Troubleshoot the Cloud Identity Engine................................................. 369

Cloud Identity Engine Troubleshooting Checklist...........................................................370
Troubleshoot Cloud Identity Engine Issues......................................................................373
Use the Log Viewer for Troubleshooting......................................................................... 374
Monitor Cloud Identity Engine Status............................................................................... 377

Cloud Identity Engine Getting Started November 2023 4 ©2023 Palo Alto Networks, Inc.
Table of Contents

Get Help...........................................................................................................379
Related Documentation.........................................................................................................380
Request Support......................................................................................................................381

Cloud Identity Engine Getting Started November 2023 5 ©2023 Palo Alto Networks, Inc.
Table of Contents

Cloud Identity Engine Getting Started November 2023 6 ©2023 Palo Alto Networks, Inc.
Get Started with Cloud Identity
Engine
Welcome to the Cloud Identity Engine! Read the following topics to learn more about the Cloud
Identity Engine:
• Learn About the Cloud Identity Engine
• Plan Your Cloud Identity Engine Deployment
• Activate the Cloud Identity Engine
• Manage Cloud Identity Engine App Roles
• Set Up the Cloud Identity Engine

7
Get Started with Cloud Identity Engine

Learn About the Cloud Identity Engine

The Cloud Identity Engine provides both user identification and user authentication for a
centralized cloud-based solution in on-premise, cloud-based, or hybrid network environments.
The Cloud Identity Engine allows you to write security policy based on users and groups, not IP
addresses, and helps secure your assets by enforcing behavior-based security actions.
It also provides the flexibility to adapt to changing security needs and users by making it simpler
to configure an identity source or provider in a single unified source of user identity, allowing
scalability as needs change.
By continually syncing the information from your directories, whether they are on-premise,
cloud-based, or hybrid, ensures that your user information is accurate and up to date and policy
enforcement continues based on the mappings even if the cloud identity provider is temporarily
unavailable.
To provide user, group, and computer information for policy or event context, Palo Alto Networks
cloud-based applications and services need access to your directory information. The Cloud
Identity Engine, a secure cloud-based infrastructure, provides Palo Alto Networks apps and
services with read-only access to your directory information for user visibility and policy
enforcement.
The components of the Cloud Identity Engine deployment vary based on whether the Cloud
Identity Engine is accessing an on-premises directory (such as Active Directory) or a cloud-based
directory (such as Azure Active Directory).
The authentication component of the Cloud Identity Engine allows you to configure a profile for
a SAML 2.0-compliant identity provider (IdP) that authenticates users by redirecting their access
requests through the IdP before granting access. You can also configure a client certificate for
user authentication. When you configure an Authentication policy and the Authentication Portal
on the Palo Alto Networks firewall, users must log in with their credentials before they can access
the resource.

On-Premises Directory Configuration

To use the Cloud Identity Engine with an on-premises Active Directory or OpenLDAP-based
directory, you need:
• to install the Cloud Identity agent on a Windows server (the agent host) and configure it to
connect to your on-premises directory and the Cloud Identity Engine.
• access to the Cloud Identity Engine app on the hub so you can manage your Cloud Identity
Engine tenants and Cloud Identity agents.
To collect attributes from your on-premises directory, install the Cloud Identity agent on an on-
premises Windows server that meets the Cloud Identity Engine system requirements. The agent
collects the attributes initially during tenant setup and then once every five minutes (based on the
system time on the agent host) if a sync is not already in progress, syncing them with the Cloud
Identity Engine so that your directory information is available to your Palo Alto Networks apps
and services.
To collect attributes from your on-premises directory and synchronize them with the Cloud
Identity Engine:

Cloud Identity Engine Getting Started November 2023 8 ©2023 Palo Alto Networks, Inc.
Get Started with Cloud Identity Engine

• The agent can use TLS 1.1, TLS 1.2, or TLS 1.3 to communicate with the Cloud Identity Engine
to synchronize your attributes so that your directory information is available to your associated
Cortex apps and services.
• The agent host can use TLS 1.1, TLS 1.2, or TLS 1.3 to communicate with the on-premises
directory to collect the attributes.

We strongly recommend that you configure TLS 1.3 for all Cloud Identity Engine traffic.
Version 1.7.0 and later versions of the agent use the latest TLS version by default.

To ensure secure transmission for the attributes, the data is encrypted end-to-end during
transmission to the Cloud Identity Engine and on the agent host. The Cloud Identity Engine locally
encrypts all agent data and immediately removes the encrypted local data after transmission is
complete.
To set up the Cloud Identity Engine, you will need to log in the Cloud Identity Engine app on
the hub to generate a certificate to Authenticate the Agent and the Cloud Identity Engine and
configure other aspects of the Cloud Identity Engine.

Cloud-Based Directory Configuration

To use the Cloud Identity Engine with a cloud-based directory such as Azure Active Directory
(Azure AD), you must grant permission for the Cloud Identity Engine to access your directory
when you Configure a Cloud-Based Directory for the Cloud Identity Engine. You do not need to
install or configure a Cloud Identity agent to collect attributes from a cloud-based directory.

User Authentication with Identity Providers

To authenticate users, configure a profile for a SAML 2.0-compliant identity provider (IdP) such as
Google, Azure, Okta, PingOne, or PingFederate in the Cloud Identity Engine.
On the firewall, configure an Authentication policy that requires users to log in using
Authentication Portal to access resources such as the internet. When the firewall receives this
type of request, it redirects the request to the Cloud Identity Engine, which reroutes the request
to the IdP you configure.
After the user logs in successfully, the firewall grants access to the resource. The Cloud Identity
Engine provides flexibility as a user identity management solution by allowing you to configure
multiple types of IdPs and making it easier to scale them as needs change.

User Authentication with a Client Certificate

You can configure a client certificate using a certificate authority (CA) chain in addition to SAML
2.0 authentication or as an alternate method for user authentication. CIE supports grouping
multiple CA chains in a certificate type, which can be used to authenticate client certificates
issued by multiple CA chains.

Cloud Identity Engine Getting Started November 2023 9 ©2023 Palo Alto Networks, Inc.
Get Started with Cloud Identity Engine

Plan Your Cloud Identity Engine Deployment

Review the following topics to learn how to best plan your deployment of the Cloud Identity
Engine:
• Configure Your Network to Allow Cloud Identity Agent Traffic
• Configure Domains for the Cloud Identity Engine

Configure Your Network to Allow Cloud Identity Agent Traffic

Depending on your network configuration and Cloud Identity Engine deployment type, allow the
traffic for the agent (if you have an on-premises directory), your directory, and the Cloud Identity
Engine.

Based on your region, allow traffic to the hostname for the region. To determine what region-
based traffic to allow, refer to the table in Configure the Cloud Identity agent.

Use the ssl App-ID in your Security policy (following our recommended Decryption Best
Practices guidelines) to allow traffic to the Cloud Identity Engine.

If you have deployed a Palo Alto Networks firewall between the agent and the Cloud Identity
Engine:

The Cloud Identity agent version 1.7.0 and previous versions require direct reachability
to the regional agent configuration endpoint and don't support proxy servers between
the agent and the endpoint. If your network configuration uses a proxy server, you
must update the Cloud Identity agent to version 1.7.1 or later.

Use the paloalto-cloud-identity App-ID to allow traffic from the Cloud Identity
agent to the Cloud Identity Engine. This App-ID requires the ssl and web-browsing
application signatures.
Allow Cloud Identity agent traffic from the specified ports to the following URLs.
http://crl.godaddy.com on port 80.
http://ocsp.godaddy.com on port 80.
https://certs.godaddy.com on port 443.
If you’re using Secure Socket Layer (SSL) decryption on the firewall, exclude the traffic
between the agent and the Cloud Identity Engine from SSL decryption to allow the mutual
authentication between the agent and the service.

Cloud Identity Engine Getting Started November 2023 10 ©2023 Palo Alto Networks, Inc.
Get Started with Cloud Identity Engine

If you have deployed a Palo Alto Networks firewall between the agent and the Active
Directory:
Depending on which protocol you select when you configure the Cloud Identity agent, use
one of the following App-IDs to allow traffic from the Cloud Identity agent to your domain
controllers.
If the agent uses the LDAP protocol, use the ldap App-ID.
If the agent uses the LDAPS or LDAP with STARTTLS protocol, use the ssl App-ID.

If you're using a non-Palo Alto Networks firewall:

Allow LDAP or LDAPS traffic to the LDAP or LDAPS port from the Cloud Identity agent to
your Active Directory or Domain Controller.
Allow HTTPS traffic from the Cloud Identity agent on port 443 to your Cloud Identity
Engine destination URL. You need to allow traffic only for the region that you specify for
your tenant and you need to allow traffic for multiple regions only if you have tenants in
multiple regions. For the region-specific agent configurations, refer to Configure the Cloud
Identity agent.
Allow traffic from the Cloud Identity agent from the specified ports to the following URLs.
http://crl.godaddy.com on port 80.
http://ocsp.godaddy.com on port 80.
https://certs.godaddy.com on port 443.

Configure Domains for the Cloud Identity Engine

On-Premises Active Directory Domains
A single Cloud Identity agent can communicate with multiple domains. The service account you
use to query the Active Directory must have permission to query all domains you configure on
the agent. We recommend configuring multiple domain controllers for each domain so that if a
domain controller is unavailable, the agent can try the next available domain controller.
To ensure agent redundancy for a domain, configure multiple agents for that domain. The server
hosting the agent should be physically located near the domain controllers from which the agent
will collect attributes. If the domain controllers are in different locations, we recommend that you
configure multiple agents and install each agent on a host server that is physically located near the
domain controllers from which the agent will collect attributes.
To obtain cross-domain memberships for groups with members from other domains in the forest,
configure those domains on the Cloud Identity agent(s). In this scenario, you must configure the
agent to connect to the domain controllers using the LDAP or LDAPS port (by default, 389 and
636 respectively).

When you configure the Active Directory in the Cloud Identity agent, do not configure the
agent to use the Global Catalog port (3268 for LDAP or 3269 for LDAPS).

Cloud Identity Engine Getting Started November 2023 11 ©2023 Palo Alto Networks, Inc.
Get Started with Cloud Identity Engine

Azure Active Directory Domains

Ensure that your Azure Active Directory (Azure AD) does not contain any circular references,
where a group is a direct or indirect member of itself (for example, Group 2 is a member of Group
1 and Group 1 is a member of Group 2). If your Azure AD contains circular references, the Cloud
Identity Engine cannot accurately populate the membership of the groups and you must change
the membership of the groups to remove the circular references. After removing the circular
references, sync the attributes to verify that the Cloud Identity Engine can successfully collect the
attributes.

To successfully sync the attributes from Azure AD, the Cloud Identity Engine
automatically removes circular references. If you do not make any changes, the Cloud
Identity Engine is still operational and other applications, such as Prisma Access, can
successfully retrieve data from the Cloud Identity Engine, but the membership of the
circular groups may not be correctly computed in Cloud Identity Engine. Therefore, we
strongly recommend that you manually remove any circular references from the Azure AD
to ensure the Cloud Identity Engine operates as expected.

Cloud Identity Engine Getting Started November 2023 12 ©2023 Palo Alto Networks, Inc.
Get Started with Cloud Identity Engine

Activate the Cloud Identity Engine

Activate the Cloud Identity Engine in the hub to create your first tenant.

If you use Common Services: Tenant and Subscription management, refer to the
Common Services: Tenant and Subscription management documentation to activate the
Cloud Identity Engine or share it with other tenants.

STEP 1 | Log in to the hub.

If you don’t see the Cloud Identity Engine, verify that you are using the tenant view then click
Explore Apps from Palo Alto Networks.

Cloud Identity Engine Getting Started November 2023 13 ©2023 Palo Alto Networks, Inc.
Get Started with Cloud Identity Engine

STEP 2 | Activate the Cloud Identity Engine.

If the Activate button is not available, ensure your role has the necessary privileges. For more
information about Cloud Identity Engine roles, refer to Manage Cloud Identity Engine App
Roles.

The Cloud Identity Engine supports alphanumeric characters, underscores (_), hyphens
(-), and periods (.) for the tenant name.

Cloud Identity Engine Getting Started November 2023 14 ©2023 Palo Alto Networks, Inc.
Get Started with Cloud Identity Engine

STEP 3 | Select the information for your Cloud Identity Engine tenant.
1. Select the Customer Support Account for the tenant.

2. Select the Region where the tenant is located.

If you want to configure an on-premises Active Directory for the Cloud Identity
Engine, the region you select must match the region info you enter for the Cloud
Identity Engine in the Cloud Identity Configuration when you Configure the
Cloud Identity Agent.

Cloud Identity Engine Getting Started November 2023 15 ©2023 Palo Alto Networks, Inc.
Get Started with Cloud Identity Engine

3. After you Agree to the Terms and Conditions, click Activate Now to activate your Cloud
Identity Engine tenant.

Cloud Identity Engine Getting Started November 2023 16 ©2023 Palo Alto Networks, Inc.
Get Started with Cloud Identity Engine

STEP 4 | Open the Cloud Identity Engine app to begin configuring your Cloud Identity Engine app.
Depending on whether you want to use the Cloud Identity Engine for user identification, user
authentication, or both, complete the following initial configuration tasks to begin using the
Cloud Identity Engine for user visibility and policy enforcement. For more information, refer to
Set Up the Cloud Identity Engine.
• Choose Your Directory Type—Set up a directory to allow the Cloud Identity Engine to
collect information for user visibility and policy enforcement.
• Authenticate Users with the Cloud Identity Engine—Configure an authentication method to
support user authentication with the Cloud Identity Engine.

Cloud Identity Engine Getting Started November 2023 17 ©2023 Palo Alto Networks, Inc.
Get Started with Cloud Identity Engine

Manage Cloud Identity Engine App Roles

App roles determine the privileges that users have and how they can use the Cloud Identity
Engine app. For more information on roles, refer to the Common Services documentation. To
configure a role:
1. Select Common Services > Identity & Access.
2. Select the tenant containing the user whose role you want to assign (if it's not already
selected).
3. Select a user and click Assign Roles.
4. To Add Access, select Cloud Identity Engine from the list of Apps & Services.
5. Select the appropriate Role for the user based on the following table based on the user’s
access needs.

Role Description

View Only Administrator This role allows users to view all available data
for the tenant in the Cloud Identity Engine,
including detailed Active Directory (AD) data.

Deployment Administrator This role provides access to deployment

functionality and view-only access to other
functions. This role allows users to view AD
summary data but they can't view or query
detailed AD data.

MSP Superuser This role provides full viewing and editing

privileges for all functions for all tenants in a
multitenant hierarchy. Assign this role only to
users or service accounts who need unrestricted
access to the Managed Service Provider (MSP)
portal.

Superuser This role provides full viewing and editing

privileges for all available functions system-
wide. It includes all privileges for all other
roles. Assign this role only to users or service
accounts who need unrestricted privileges.

Cloud Identity Engine Getting Started November 2023 18 ©2023 Palo Alto Networks, Inc.
Get Started with Cloud Identity Engine

If a user has multiple roles in the Managed Service Provider (MSP) portal, the user is
granted the same privileges for the role that allows all granted privileges for all of the
user's roles.
For example, if a user has the View Only Administrator role and the Deployment
Administrator role for the Cloud Identity Engine, the Deployment Administrator role
grants management privileges without the ability to view or query detailed data, while
the View Only Administrator role grants privileges to view all Cloud Identity Engine data,
including detailed data. To allow the privileges granted by both of these roles, a user who
has both of these roles is granted the same privileges as a user with the Superuser role,
which allows full viewing and editing privileges.

Cloud Identity Engine Getting Started November 2023 19 ©2023 Palo Alto Networks, Inc.
Get Started with Cloud Identity Engine

Set Up the Cloud Identity Engine

After you Activate the Cloud Identity Engine, complete the following steps to set up and
configure the Cloud Identity Engine:
Choose Your Directory Type—Select the type of directory that you want the Cloud Identity
Engine to access.
• Configure an On-Premises Directory—Learn how to configure the Cloud Identity agent to
communicate with your on-premises Active Directory or OpenLDAP-based directory and
the Cloud Identity Engine.
• Configure a Cloud-Based Directory—Learn how to configure a cloud-based directory (such
Azure Active Directory or Okta Directory) for the Cloud Identity Engine.
Authenticate Users with the Cloud Identity Engine—Find out the necessary steps to
configuring user authentication in the Cloud Identity Engine for a single-source identity
solution.
• Configure a SAML 2.0 Authentication Type—Learn how to configure SAML 2.0-compliant
identity providers (IdPs) in the Cloud Identity Engine to enable user authentication.
• Configure a Client Certificate—Configure a client certificate using a certificate authority
(CA) chain in addition to SAML 2.0 authentication or as an alternate method for user
authentication.
• Set Up an Authentication Profile—After you configure how you want to authenticate users
(SAML 2.0 authentication, client certificate, or both), create an authentication profile to
configure details such as specifying particular authentication methods for certain groups or
directories.
• Configure Cloud Identity Engine Authentication on the Firewall or Panorama—Find out how
to configure an Authentication profile on the Palo Alto Networks firewall or Panorama to
enforce authentication using the Cloud Identity Engine.
Associate the Cloud Identity Engine with Palo Alto Networks Apps—Share the directory
information in your Cloud Identity Engine tenant with other Palo Alto Networks applications.

If you are using the tenant account view in the hub, association is not necessary for a
tenant service group (TSG). For more information, refer to the Hub Getting Started
guide.
Manage the Cloud Identity Engine App—Create, view, rename, delete, and synchronize your
Cloud Identity Engine tenants and view the list of attributes that the Cloud Identity Engine
collects.

Cloud Identity Engine Getting Started November 2023 20 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type
After you activate the Cloud Identity Engine, select the directory type you want to configure:
• Configure an On-Premises Directory
• Configure a Cloud-Based Directory

21
Choose Your Directory Type

Configure an On-Premises Directory

After your activate your Cloud Identity Engine tenant, install and configure a Cloud Identity agent
to communicate with your on-premises Active Directory or OpenLDAP-based directory, then
generate a certificate to authenticate communication between the agent and the Cloud Identity
Engine.
• Install the Cloud Identity Agent
• Configure the Cloud Identity Agent
• Authenticate the Agent and the Cloud Identity Engine

Install the Cloud Identity Agent

Before installing the Cloud Identity agent, verify that the time on the agent host is correct
and synced to a valid NTP server. If the time on the server host is incorrect, the Cloud
Identity Engine may not be able to sync your directory attributes successfully.

After you activate your Cloud Identity Engine tenant, download the Cloud Identity agent from
the Cloud Identity Engine app on the hub and install it on a supported directory server. Palo Alto
Networks strongly recommends using TLS 1.3. If TLS 1.2 is not already enabled on the Windows
server that will host the agent, install the update to enable TLS 1.2 before you install the agent.

Because the User-ID agent and the Cloud Identity agent require the same port, you must
use a dedicated host for each agent type. Do not install both agent types on the same
host.

STEP 1 | Log in to the hub and select the Cloud Identity Engine app.

Cloud Identity Engine Getting Started November 2023 22 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 2 | Select Directories then click Add New Directory.

STEP 3 | Set Up an On-Premises Directory.

Cloud Identity Engine Getting Started November 2023 23 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 4 | Click Download Agent.

STEP 5 | When the download is complete, open the DaInstall.msi installation file for the agent on the
Windows server where you plan to install the agent.
For a list of supported servers, see the Cloud Identity Engine system requirements.

If you are also using the Terminal Server (TS) agent, we recommend that you do not
install the Cloud Identity agent on the same host as the TS agent. If you must install
both agents on the same host, you must change the default listening port on the TS
agent.

STEP 6 | Follow the prompts in the installation wizard to install the agent.

STEP 7 | Navigate to the location of the Cloud Identity agent.

The default location is C:\Program Files (x86)\Palo Alto Networks\Cloud Identity Agent\.

STEP 8 | Double-click the CloudIdAgentController.exe file to launch the Cloud Identity agent.
Starting the agent also starts the Cloud Identity Engine, which runs in the background on the
server hosting the Cloud Identity agent until you stop the connection to the Cloud Identity
Engine.

Next Steps
• After you have installed the Cloud Identity agent on the host, Configure the Cloud Identity
Agent to communicate with both your directory and the Cloud Identity Engine.
• After configuring the agent, make sure to Authenticate the Agent and the Cloud Identity
Engine to enable communication between the agent and the Cloud Identity Engine.
• For a comprehensive user identity and authentication solution, learn how to Authenticate
Users with the Cloud Identity Engine.

Cloud Identity Engine Getting Started November 2023 24 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

Configure the Cloud Identity Agent

Avoid configuring the agent for the first time during the daily certificate revocation list
(CRL) reload time (9:00-10:00 PM/21:00-22:00 CDT for US or CEST for EU). If you
configure the agent and the initial attribute sync occurs at this time but isn’t successful,
wait a few minutes, then Synchronize All Attributes to ensure the attributes are
synchronized with your tenant.

After you download the agent from the Cloud Identity Engine app and Install the Cloud Identity
Agent on a supported Windows server, configure the agent to establish a connection with your
Active Directory or OpenLDAP-based directory and the Cloud Identity Engine so that it can
collect all of the attributes from the Active Directory during the initial setup. In the Cloud Identity
Engine app, you can optionally Synchronize Cloud Identity Engine Tenants instantly to ensure
attribute and other directory changes are available in the Cloud Identity Engine.

The minimum required permissions for the service account are the ability to create
LDAP bind requests (LDAP protocol version, the DN for the account, and the account
credentials) and the IP address or domain for the directory.

STEP 1 | If you haven’t already done so, Configure Your Network to Allow Cloud Identity Agent
Traffic.

STEP 2 | Install the certificate authority (CA) certificate used to sign the certificate used by the
directory in the Local Computer Trusted root CA certificate store of the agent host.
You must complete this step if the server that hosts the agent doesn’t already have the
CA certificate of the domain controller or the CA certificate from the issue of the domain
controller’s certificate.

STEP 3 | On the agent host, launch the Cloud Identity agent (Start > Palo Alto Networks > Cloud
Identity Agent).

Don’t manually edit configuration files for the agent. Manually editing the agent
configuration files might cause unexpected behavior.

Cloud Identity Engine Getting Started November 2023 25 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 4 | Select Cloud Identity Configuration and enter the regional agent configuration endpoint for
the Cloud Identity Engine that matches the region that the corresponding Cloud Identity
Engine tenant uses.

Region Agent Configuration

United States (US) agent-directory-sync.us.paloaltonetworks.com

European Union (EU) agent-directory-sync.eu.paloaltonetworks.com

United Kingdom (UK) agent-directory-sync.uk.paloaltonetworks.com

Singapore (SG) agent-directory-sync.sg.paloaltonetworks.com

Canada (CA) agent-directory-

sync.ca.apps.paloaltonetworks.com

Japan (JP) agent-directory-

sync.jp.apps.paloaltonetworks.com

Australia (AU) agent-directory-

sync.au.apps.paloaltonetworks.com

Germany (DE) agent-directory-

sync.de.apps.paloaltonetworks.com

United States - Government agent-directory-

sync.gov.apps.paloaltonetworks.com

India (IN) agent-directory-

sync.in.apps.paloaltonetworks.com

Switzerland (CH) agent-directory-

sync.ch.apps.paloaltonetworks.com

Spain (ES) agent-directory-

sync.es.apps.paloaltonetworks.com

Cloud Identity Engine Getting Started November 2023 26 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

Region Agent Configuration

Italy (IT) agent-directory-

sync.it.apps.paloaltonetworks.com

France (FR) agent-directory-

sync.fr.apps.paloaltonetworks.com

China (CN) agent-directory-sync.cn.apps.prismaaccess.cn

This region is only accessible in the Cloud Identity

Engine within the specified region.

Poland (PL) agent-directory-

sync.pl.apps.paloaltonetworks.com

Qatar (QA) agent-directory-

sync.qa.apps.paloaltonetworks.com

Taiwan (TW) agent-directory-

sync.tw.apps.paloaltonetworks.com

Israel (IL) agent-directory-

sync.il.apps.paloaltonetworks.com

Indonesia (ID) agent-directory-

sync.id.apps.paloaltonetworks.com

STEP 5 | (Optional) If your network configuration uses a proxy server, enter the Proxy IP Server and
Port (optional) to allow the Cloud Identity agent to use a secure mTLS connection to tunnel
the agent traffic through the proxy server.

Enter the proxy server’s IP address in <IP_Address>:<Port> format, where

<IP_Address> represents the IP address of the proxy server and <Port> represents the
port number.

Cloud Identity Engine Getting Started November 2023 27 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 6 | Configure the LDAP Configuration to allow the agent to communicate with your on-
premises directory.
To learn how to collect attributes from multiple domains, see Configure Domains for the Cloud
Identity Engine.

1. Enter the Bind DN for the service account you want to bind to your directory (for
example, CN=admin,OU=IT,DC=domain1,DC=example,DC=com).

Cloud Identity Engine Getting Started November 2023 28 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

If you don’t know the DN of the service account, enter the following command
in the command prompt on the Active Directory server: dsquery user -
name username (where username is the service account login name). Be sure
to delete the quotation marks if you copy the DN from the command output.
2. Enter the Bind Password to authenticate the session.
The Bind Password is saved in encrypted format in the Windows credential store, not
the configuration file. If you delete the LDAP configuration for the server and commit
the changes, you must re-enter the password.
3. Select a Protocol:
• LDAP—Connect to the directory using the default unencrypted LDAP protocol on
port 389.
• LDAPS—(Default) Connect to the directory server using LDAP over SSL (LDAPS) on
port 636. This option requires a CA certificate in the Local Computer certificate store
on the agent host or in the Trusted Root CA store for your directory.
• LDAP with STARTTLS—Connect to the directory server using LDAPv3 Transport
Layer Security (TLS) on port 389. This option requires a CA certificate in the Local
Computer certificate store on the agent host or in the Trusted Root CA store for your
directory.

STEP 7 | Verify that the Bind Timeout value will allow enough time for the agent to connect to your
on-premises directory.
The default is 30 seconds and the range is from 1-60 seconds. When the timeout limit is
reached, the agent attempts to connect to the next domain controller in the sequence for that
domain.

STEP 8 | Verify that the Search Timeout value will allow enough time for the LDAP query to
complete.
The default is 15 seconds and the range is 1-120 seconds. If the timeout occurs, the search
stops and the timeout error is included in the debug logs. If you Configure Cloud Identity
Agent Logs to Information, any partial results retrieved by the Cloud Identity Engine are
deleted. If the log level is set to Debug or higher, the results might not be deleted, but they
aren’t used by the agent.

Cloud Identity Engine Getting Started November 2023 29 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 9 | Add your on-premises directory.

To ensure that the Cloud Identity Engine can calculate group membership
correctly, use a value that doesn’t end in 65 if you must use a custom value for the
MaxValRange attribute in your LDAP query policy rule.

1. (Optional) Enter the Name (optional) for your directory.

2. Enter the fully qualified Domain name for your directory.
You can configure up to 20 domains for each agent.
3. Enter the IP address or fully qualified domain name (FQDN) as the Network Address for
your directory.

If you enter an FQDN, it must be the complete original FQDN for that IP
address (for example, if the FQDN is example.hr.com, you must enter
example.hr.com, not just example.com).
4. (Optional) Enter the Port (optional) number for your directory.

Don’t configure the agent to use the Global Catalog port (3268 for LDAP or
3269 for LDAPS).

If you don’t enter a port number, the agent uses the following default ports:
• 636 for LDAPS

Cloud Identity Engine Getting Started November 2023 30 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

• 389 for LDAP or LDAP with STARTTLS

5. (Required for OpenLDAP) Enter the Base DN (base Distinguished Name) for your
directory.

OpenLDAP requires the Base DN; without the Base DN, directory searches can’t
complete successfully.
When you enter the Base DN, use the domainComponent format (for example,
DC=example, DC=com).
6. Select your directory Type.
• OpenLDAP—Configure the agent to use an OpenLDAP-based directory server.

The Cloud Identity Engine supports OpenLDAP groups with the following
ObjectClass: groupsOfUniqueNames. When configuring another
application (for example, GlobalProtect) with the Cloud Identity Engine for
an OpenLDAP-based directory, specify the Common-Name as the Primary
Name. By default, the Cloud Identity Engine uses the sAMAccountName.
• Active Directory—Configure the agent to use an Active Directory directory server.
7. (Optional but recommended) To confirm the agent can successfully connect to your
Active Directory, you can Test Connectivity to Directory. The agent verifies that it
can successfully connect to the domain and validates the NetBIOS name based on the
domain.
8. Click OK.

When you add an on-premises directory, the Cloud Identity agent automatically
attempts to complete a full synchronization of all domains, including existing
domains, so confirm the agents are active and all configured domains are active
before adding a new domain to the agent. If an inactive domain is no longer
necessary, delete the domain from your configuration.

STEP 10 | Commit the changes to restart the agent and apply the configuration.
The agent will connect to your directory to collect the attributes and to the Cloud Identity
Engine to share the attributes with the Palo Alto Networks cloud-based apps.

Cloud Identity Engine Getting Started November 2023 31 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 11 | To confirm the agent is able to connect to your on-premises directory and the Cloud Identity
Engine, log in to the Cloud Identity Engine app, select the tenant, then select Directories to
verify the following information:
• The domains currently monitored by the Cloud Identity Engine and each domain’s NetBIOS
name.
• The sync status of the most recent attribute collection update from the directory (for
example, In Progress or Successful).
• When the last successful attribute collection update from the directory occurred.
• The number of users, computers, groups, containers, and organizational units (OUs) in the
domains monitored by the Cloud Identity Engine.

STEP 12 | (Optional but recommended) Configure an additional agent for high availability (HA).
You can configure HA for the Cloud Identity Engine by configuring two or more agents to
collect attributes from the same domain in the same tenant. The configuration for each agent
must be identical. We recommend this configuration to ensure that if an agent is temporarily
unavailable, any in-progress syncs complete successfully and service isn’t interrupted. If the
Cloud Identity Engine fails to connect to an agent, it searches for the next available agent.
The Cloud Identity Engine communicates with only one agent at a time and the agents don’t
communicate with each other.

Next Steps
• After you’ve configured the agent, you can optionally Configure Cloud Identity Agent Logs to
track the agent events you want to monitor.
• For a comprehensive user identity and authentication solution, learn how to Authenticate
Users with the Cloud Identity Engine.

Authenticate the Agent and the Cloud Identity Engine

The Cloud Identity Engine and the Cloud Identity agent use a certificate for mutual authentication
(i.e., the agent authenticates the service and the service authenticates the agent) over Transport
Layer Security (TLS). If the certificate is valid, the agent connects to the Cloud Identity Engine. If
the certificate is not valid, the Cloud Identity Engine rejects the connection.
To authenticate the Cloud Identity Engine and the Cloud Identity agent, generate a Cloud Identity
Engine certificate using the Cloud Identity Engine app and import it to the Local Computer
certificate store on the Windows server that hosts the agent. Each certificate expires three
months from the issuance date. The Cloud Identity agent version 1.5.0 and later versions
automatically renews the certificate before it expires.
Each agent must use a unique certificate to authenticate with the service. Only use the certificate
for the agent in the selected tenant. Generate certificates on an as-needed basis and do not use
the certificate for other services or share them between agents. You can generate up to 5 unused
certificates and up to 100 total certificates per tenant. You can only use the certificate for the
specified tenant and you can only associate the certificate with one agent.
STEP 1 | Enter a unique Certificate Name.
The name must be between 5 and 128 alphanumeric characters.

Cloud Identity Engine Getting Started November 2023 32 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 2 | Enter a secure password in the Create Password and Re-enter Password fields.
The password must be between 12 to 25 characters. You will need to enter this password
when you install the certificate on the agent host.

STEP 3 | Click Download Certificate.

STEP 4 | Store the certificate in the Local Computer Personal certificate store on the agent host.
For more information on how to store certificates, see the following link.
After the agent authenticates with the Cloud Identity Engine, it provides the directory
attributes to the service. The service then shares the attributes with the apps that you with
the Cloud Identity Engine for visibility and policy enforcement. For more information, refer to
Manage Cloud Identity Engine Certificates.

Next Steps
• Use the Cloud Identity Engine app to create, view, delete, rename, or synchronize tenants and
to view or customize the attributes that the Cloud Identity Engine collects.
• Learn how to manage the Cloud Identity agent by logging agent events, managing the
certificates that the agent uses, starting or stopping the agent’s connection to the Cloud
Identity Engine, and updating or removing the agent.

Cloud Identity Engine Getting Started November 2023 33 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

Configure a Cloud-Based Directory

After you activate your Cloud Identity Engine tenant, configure a cloud-based directory, such as
Azure Active Directory (Azure AD), Okta Directory, or Google Directory, to communicate with the
Cloud Identity Engine.
To use the System for Cross-domain Identity Management (SCIM) provisioning to customize
which attributes your Azure AD shares with the Cloud Identity Engine, you can configure the
SCIM Connector.
If the connection between your directory and the Cloud Identity Engine is not active, you can
reconnect your directory. If you no longer want to associate a directory with the Cloud Identity
Engine, learn how to revoke the permissions for that directory.
• Configure Azure Active Directory
• Deploy or Migrate to Client Credential Flow for Azure AD
• Reconnect Azure Active Directory
• Revoke Cloud Identity Engine Permissions for Azure Active Directory
• Configure Okta Directory
• Reconnect Okta Directory
• Remove Okta Directory
• Configure Google Directory
• Reconnect Google Directory
• Remove Google Directory
• Configure SCIM Connector for the Cloud Identity Engine

Configure Azure Active Directory

Configure an Azure Active Directory (Azure AD) in the Cloud Identity Engine to allow the Cloud
Identity Engine to collect data from your Azure AD for policy rule enforcement and user visibility.

To configure an Azure AD in the Cloud Identity Engine, you must have at least the
following role privileges in Azure AD: Application Administrator and Cloud Application
Administrator. For more information about roles in Azure AD, refer to the following link.

As an alternative, you can also Configure SCIM Connector for the Cloud Identity Engine to select
the attribute data you want to collect with the Cloud Identity Engine.
STEP 1 | Log in to the hub and select the Cloud Identity Engine app.

STEP 2 | In the Cloud Identity Engine app, select Directories > Add Directory.

Cloud Identity Engine Getting Started November 2023 34 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 3 | Set Up a Cloud Directory and select Azure.

If you have an Azure AD in a government environment, select Azure Government and

refer to Configure the Cloud Identity Agent if you’re using the Cloud Identity agent
for an on-premises directory and Configure Cloud Identity Engine Authentication
on the Firewall or Panorama if you want to authenticate your users with the Cloud
Identity Engine. For more information, contact your support representative.

Cloud Identity Engine Getting Started November 2023 35 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 4 | Select the method you want to use to log in to your Azure AD.

Palo Alto Networks strongly recommends the client credential flow, as this method allows
you to use an Azure AD service account for the Cloud Identity Engine app. Using the client
credential flow requires you to configure your Azure AD with the necessary permissions, so
ensure you’ve completed all of the predeployment steps necessary to Deploy or Migrate to
Client Credential Flow for Azure AD.
• Auth Code Flow—To make changes to your Azure AD in the Cloud Identity Engine, you
must log in to the Azure AD.
• (Default)Client Credential Flow—By granting the required permissions in advance, you do
not need to log in to the Azure AD to make changes to that directory in the Cloud Identity
Engine.

If you select this option, you must copy the Directory ID from the Azure Portal and
configure the following permissions for the user’s account:
• Directory.Read.All
• Organization.Read.All
For more information, refer to Deploy or Migrate to Client Credential Flow for
Azure AD.

Cloud Identity Engine Getting Started November 2023 36 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 5 | Select whether you want to Collect user risk information from Azure AD Identity Protection
to use in attribute-based Cloud Dynamic User Groups.

If you select this option, you must grant additional permissions for the Cloud Identity
Engine in the Azure AD Portal. For more information, refer to the documentation for
Cloud Dynamic User Groups.

Cloud Identity Engine Getting Started November 2023 37 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 6 | Select whether you want to Collect enterprise applications data so that it displays when
you View Directory Data. If you don't want to collect the application data or you don't use
application data in your security policy, deselect the checkbox to decrease the sync time.

For beta users of this feature, the Cloud Identity Engine continues collecting enterprise
application data for any directories configured in your tenant during the beta and no
further configuration is required. If you configure a new directory, you must select
whether you want to collect enterprise application data from the new directory.

Cloud Identity Engine Getting Started November 2023 38 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 7 | (Auth Code Flow only) Sign in with Azure using your Azure administrator credentials and
grant permissions for the Cloud Identity Engine to access the directory information.

You must have an administrative account for the directory to grant the following
required permissions.
• Access Azure Service Management
• View your basic profile
• Maintain access to data you have given it access to
• Read directory data
• View your email address

1. Enter your email address or phone number then click Next.

2. Enter your password and Sign in.

3. Consent on behalf your organization to grant the permissions that the Cloud Identity
Engine requires to get the metadata with the list of directories and Accept to confirm.

Cloud Identity Engine Getting Started November 2023 39 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

The button displays Logged In when the authentication is successful.

Cloud Identity Engine Getting Started November 2023 40 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 8 | (Client credential flow only) Enter the Directory ID, Client ID, and Client Secret to Deploy or
Migrate to Client Credential Flow for Azure AD.

Cloud Identity Engine Getting Started November 2023 41 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 9 | Click Test Connection to confirm that the Cloud Identity Engine tenant can successfully
communicate with the Azure directory.

• The Cloud Identity Engine checks for the primary directory, which may not be the same as
initial directory.
• While the test is in progress, the button displays Testing.
• When the Cloud Identity Engine verifies the connection, the button displays Success and
lists the domain name and ID for the directory.
• If the connection is not successful, the button displays Failed and a red exclamation point.
If this occurs, confirm you have entered your Azure credentials correctly.
• If you have more than one directory in your Azure AD, select the radio button for each
directory and Test Connection. Submit each directory individually.

Cloud Identity Engine Getting Started November 2023 42 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 10 | (Auth Code Flow only)Consent on behalf your organization to grant the permissions the
Cloud Identity Engine requires to access the directory data and Accept to confirm.

Cloud Identity Engine Getting Started November 2023 43 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 11 | (Optional) Enter a unique name as the Directory Name (optional) field to use a customized
name for the directory in the Cloud Identity Engine app.

You can use up to 15 lowercase alphanumeric characters (including hyphens, periods,

and underscores) for the directory name in the Cloud Identity Engine. You don't need
to change the name of the directory itself, only the name of the directory in the Cloud
Identity Engine app.

If you are collecting data for the same domain from both an on-premises Active
Directory (AD) and an Azure AD, Palo Alto Networks recommends that you create
a separate Cloud Identity Engine tenant for each directory type. If you must use the
same Cloud Identity Engine tenant and want to collect data from both an on-premises
AD and an Azure AD, you must customize the directory name for the Azure AD (for
example, by adding .aad to Customize Directory Name) then Reconnect Azure
Active Directory. Any applications that you associate with the Cloud Identity Engine
use the custom directory name.

• The custom directory name is the alias for your Azure AD in your Cloud Identity Engine
tenant; it does not change the name on your directory. If you do not enter a custom
directory name, the Cloud Identity Engine uses the default domain name.
• The Cloud Identity Engine supports lowercase alphanumeric characters, periods (.), hyphens
(-), and underscores (_).

Cloud Identity Engine Getting Started November 2023 44 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

• If you associate the Cloud Identity Engine with Cortex XDR, the customized directory name
must be identical to the Domain you select in Cortex XDR.

The custom directory name must match the corresponding directory name in any
app that you associate with the Cloud Identity Engine. For example, if you are using
the Cloud Identity Engine with Cortex XDR, the custom directory name in the Cloud
Identity Engine must be the same as the directory name in Cortex XDR.

Cloud Identity Engine Getting Started November 2023 45 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 12 | When the configuration is complete, Submit the configuration.

When you submit the configuration, the Cloud Identity Engine connects to your Azure AD and
begins synchronizing attributes. The Sync Status column displays In Progress while the Cloud
Identity Engine collects the attributes.

To add another Azure AD to your Cloud Identity Engine tenant, you must first log out
of the Azure AD that already exists in the Cloud Identity Engine. After you log out, click
Add Directory and repeat Steps 3 through 9 using the credentials for the new Azure
AD in Configure Azure Active Directory.

Now that you have configured your Azure Active Directory in the Cloud Identity Engine, you
can take the following next steps:
• If you want to use the client credential flow to use a service account with the Cloud
Identity Engine, make sure to complete all the required steps to Deploy or Migrate to Client
Credential Flow for Azure AD.
• Use the Cloud Identity Engine app to create, view, delete, rename, or synchronize tenants
and to view or customize the attributes that the Cloud Identity Engine collects.
• For a comprehensive user identity and authentication solution, learn how to Authenticate
Users with the Cloud Identity Engine.

Cloud Identity Engine Getting Started November 2023 46 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

Deploy or Migrate to Client Credential Flow for Azure AD

The Client Credential Flow option for Azure Active Directory (AD) in the Cloud Identity Engine
allows you to use a service account to log in to your Azure AD in the Cloud Identity Engine. Using
a service account is strongly recommended, as this is a more secure method for directory access
and does not require the account to be associated with a specific user.
If this is the first time you have created a Cloud Identity Engine tenant, the Cloud Identity Engine
app is not available in the Azure app gallery, so you must create a custom app.
If you already have an existing Azure AD configuration in the Cloud Identity Engine, you can easily
migrate the existing configuration to use the client credential flow option by reconnecting your
Azure AD to the Cloud Identity Engine, selecting the Client Credential Flow option, and testing
the connection to verify the configuration.
STEP 1 | If you have not already done so, activate your Cloud Identity Engine tenant.

Cloud Identity Engine Getting Started November 2023 47 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 2 | Grant the required read-only permissions in the Azure Portal.

1. In the Azure Portal, select Home > Azure Active Directory > App Registrations.
2. Click New registration.

3. Enter a Name then click Register.

Cloud Identity Engine Getting Started November 2023 48 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

4. Select API permissions then click Add a permission.

Cloud Identity Engine Getting Started November 2023 49 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

5. Click Microsoft Graph then select Application permissions.

Cloud Identity Engine Getting Started November 2023 50 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

6. Select the following permissions then click Add permissions:

• Directory.Read.All
• Organization.Read.All

• If you want to use user risk information in attribute-based Cloud Dynamic

User Groups, you must grant additional permissions. For more information,
refer to the documentation on how to Create a Cloud Dynamic User
Group.

Cloud Identity Engine Getting Started November 2023 51 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

Cloud Identity Engine Getting Started November 2023 52 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

7. Click Grant admin consent for DirectoryName (where DirectoryName represents the
name of your Azure AD).

8. Click Yes to confirm.

Cloud Identity Engine Getting Started November 2023 53 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

Cloud Identity Engine Getting Started November 2023 54 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 3 | Collect the necessary configuration information from the Azure Portal.
1. In the Azure dashboard, select your Azure AD, then select App Registrations and select
the app you created.
2. Select Certificates & secrets then click New client secret.

3. Enter a Description and Add the secret.

When you add the secret, make sure to keep track of when the secret Expires.
When the secret expires, you must configure the new secret in the Azure Portal
and update the configuration in the Cloud Identity Engine app to replace the
expired secret. Keep this in mind when selecting the expiry value for the secret.
If you prioritize ease of configuration, select a longer expiration for the secret
(the maximum value is 2 years). If security is of greater concern, select a shorter
value for the secret’s expiration (the default is 6 months).

Cloud Identity Engine Getting Started November 2023 55 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

4. Copy the Value of the secret and store it in a secure location.

Cloud Identity Engine Getting Started November 2023 56 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

5. Click Overview then copy the Application (client) ID and store it in a secure location.

Cloud Identity Engine Getting Started November 2023 57 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

6. Copy the Directory (tenant) ID and store it in a secure location.

Cloud Identity Engine Getting Started November 2023 58 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 4 | Add your Azure AD directory in the Cloud Identity Engine.

(Required for migration) If you are migrating an existing Azure AD configuration, select Actions
> Reconnect on the Directories page for the Azure AD you want to migrate, then continue to

Cloud Identity Engine Getting Started November 2023 59 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

step 4.3. The Cloud Identity Engine automatically populates the necessary information for step
4.4, so you can continue to step 8 (testing the connection).
1. In the Cloud Identity Engine app, select Directories then click Add New Directory.
2. Set Up an Azure directory.

3. Select Client Credential Flow as the method you want to use to Connect to Azure AD.

Cloud Identity Engine Getting Started November 2023 60 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

Cloud Identity Engine Getting Started November 2023 61 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 5 | Select whether you want to Collect user risk information from Azure AD Identity Protection
to use in attribute-based Cloud Dynamic User Groups.

If you select this option, you must grant additional permissions for the Cloud Identity
Engine in the Azure AD Portal. For more information, refer to the documentation for
Cloud Dynamic User Groups.

Cloud Identity Engine Getting Started November 2023 62 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 7 | Enter your directory information as indicated, using the information you copied from the
Azure Portal in steps 3.3, 3.4, and 3.5:

During migration of an existing Azure AD configuration to the client credential flow,

the Cloud Identity Engine automatically populates the Directory ID, the Client ID, and
the Client Secret.

Copy from Azure Portal Enter in Cloud Identity Engine

Directory (tenant) ID Directory ID

Application (client) ID Client ID

Cloud Identity Engine Getting Started November 2023 63 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

Copy from Azure Portal Enter in Cloud Identity Engine

Value Client Secret

Cloud Identity Engine Getting Started November 2023 64 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 8 | (Required) Confirm the Cloud Identity Engine app can successfully communicate with your
directory.
1. In the Cloud Identity Engine, click Test Connection to confirm that the Cloud Identity
Engine can successfully connect to your Azure AD.

2. (Optional) Enter a new name to Customize Directory Name in the Cloud Identity Engine.

Cloud Identity Engine Getting Started November 2023 65 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 9 | In the Cloud Identity Engine app, Submit your changes and verify your directory information
when the Directories page displays.
You can now use your Azure AD to enforce group-based policy with the Cloud Identity Engine.

Reconnect Azure Active Directory

If the connection between your Azure Active Directory (Azure AD) and the Cloud Identity Engine
is not active or if you want to make changes to your Azure AD configuration, you can reconnect
your Azure AD to the Cloud Identity Engine.
STEP 1 | Log in to the hub and select the Cloud Identity Engine tenant that contains the Azure AD you
want to reconnect.

STEP 2 | Select Directories.

Cloud Identity Engine Getting Started November 2023 66 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 3 | Select Actions > Reconnect.

Cloud Identity Engine Getting Started November 2023 67 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 4 | Select whether you want to make any changes to your configuration.
• If you want to use a service account to log in to Azure AD, you can Deploy or Migrate to
Client Credential Flow for Azure AD.
• If you want to collect information about user risk levels and activity to use when you
Create a Cloud Dynamic User Group,Collect user risk information from Azure AD Identity
Protection.
• If you want to display application data when you View Directory Data, Collect enterprise
applications data. If you don't want to collect application data or you don't use application
data in your security policy, deselect the checkbox to decrease the sync time.

STEP 5 | (Auth Code Flow only) Sign in with Azure using your Azure administrator credentials and
grant permissions for the Cloud Identity Engine to access the directory information.

Cloud Identity Engine Getting Started November 2023 68 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 6 | (Client credential flow only) Enter the Client ID and Client Secret (or click Restore to restore
the current client secret) to Deploy or Migrate to Client Credential Flow for Azure AD.

You cannot change the Directory ID. If you need to change the Directory ID, you must
set up a new Azure AD configuration in the Cloud Identity Engine.

STEP 7 | Click Test Connection to confirm the Cloud Identity Engine can access your Azure AD.

STEP 8 | (Optional) Customize Directory Name if you want to change the name that the Cloud
Identity Engine displays for this directory in your tenant.

You can use up to 15 lowercase alphanumeric characters (including hyphens, periods,

and underscores) for the directory name in the Cloud Identity Engine. You don't need
to change the name of the directory itself, only the name of the directory in the Cloud
Identity Engine app. If your directory name contains more than 15 characters, you
must change the directory name to contain a maximum of 15 characters.

STEP 9 | Submit your configuration to reconnect to the directory.

Cloud Identity Engine Getting Started November 2023 69 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

Revoke Cloud Identity Engine Permissions for Azure Active Directory

If you want to revoke the permissions for the Cloud Identity Engine to access your Azure
Active Directory (AD), delete the directory in your Cloud Identity Engine tenant and delete the
application from the Azure Portal.

To revoke permissions for an Azure AD from the Cloud Identity Engine, you must have
at least the following role privileges in Azure AD: Application Administrator and Cloud
Application Administrator. For more information about roles in Azure AD, refer to the
following link.

STEP 1 | Delete the directory from your Cloud Identity Engine tenant.

STEP 2 | Log in to the Azure Portal with your administrator credentials.

STEP 3 | Select Azure Active Directory.

Cloud Identity Engine Getting Started November 2023 70 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 4 | In the Manage section, select Enterprise applications.

STEP 5 | In the Manage section, select All applications then select Palo Alto Networks Cloud Identity
Engine.

STEP 6 | In the Manage section, select Properties.

STEP 7 | Delete the application and click Yes to confirm.

When you confirm, the Cloud Identity Engine can no longer access this Azure AD.

Configure Okta Directory

The Cloud Identity Engine can integrate Okta Directory information. When you configure
your Okta Directory as part of the Cloud Identity Engine, the Cloud Identity Engine uses Okta
Directory to collect user and group attribute information for Security policy enforcement and for
visibility into the users who access your network.

You must create an OpenID Connect (OIDC) app to configure an Okta directory for the
Cloud Identity Engine, even if you’ve configured Okta for SAML. If you try to use the SAML
app to configure an Okta directory instead of creating a new OIDC app, the initial sync
might succeed, fail because the refresh token from gallery applications does not support
this configuration.

STEP 1 | If you have not already done so, activate the Cloud Identity Engine and obtain the Sign-in
redirect URI for Okta.
1. After activating the Cloud Identity Engine, log in to the hub and select the Cloud Identity
Engine app.
2. Copy the URL for your Cloud Identity Engine tenant and edit it to obtain the Sign-
in redirect URI that Okta requires. To edit the URL, replace the text after the
domain with /authorize. For example, if your Cloud Identity Engine tenant URL
is https://directory-sync.us.paloaltonetworks.com/directory?

Cloud Identity Engine Getting Started November 2023 71 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

instance=<InstanceId>, your Redirect URL is https://directory-

sync.us.paloaltonetworks.com/authorize.

Cloud Identity Engine Getting Started November 2023 72 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 2 | Using the Okta Administrator Dashboard, prepare to add your Okta Directory in the Cloud
Identity Engine.

To set up an Okta Directory in the Cloud Identity Engine, you must create a user then
assign Admin Roles to that user to grant privileges for the Okta Directory in the Okta
Administrator Dashboard (Admin > Security > Administrators > Add Administrator >
Grant Administrator Role). This is the account you’ll assign to the app in step 2.7.

1. Create an app integration for the Cloud Identity Engine app in Okta.
2. Select OIDC - OpenID Connect as the Sign-in method.

Cloud Identity Engine Getting Started November 2023 73 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

3. Select Web Application as the Application type then click Next.

4. For the Grant type, select Refresh Token.

Cloud Identity Engine Getting Started November 2023 74 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

5. Replace any existing Sign-in redirect URIs with the edited URL from step 1.2.

Palo Alto Networks recommends separating regions by aligning region-specific

tenants with region-specific Okta accounts. However, for testing, if you have
Cloud Identity Engine tenants in more than one region, add Sign-in redirect URIs
for each region where you have a tenant.
6. Skip the steps for Sign-out redirect URIs and Base URIs as these aren't required.
7. Assign the app to a user or group and Save the configuration.

Be sure to assign the app only to the administrator you created in the first step.

8. Select General, then copy your Client ID and Client Secret.

Cloud Identity Engine Getting Started November 2023 75 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

9. Copy your Okta domain.

Cloud Identity Engine Getting Started November 2023 76 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

10. Select Assignments, then assign the Cloud Identity Engine app to the administrator who
configures the Okta integration in the Cloud Identity Engine.

Cloud Identity Engine Getting Started November 2023 77 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

11. Select Okta API Scopes and grant consent to the following scopes:
• okta.authorizationServers.read (Required only if you have more than one
Okta authorization server)
• okta.groups.read
• okta.logs.read

Cloud Identity Engine Getting Started November 2023 78 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

The Cloud Identity Engine requires this scope to read the following log events
only:
• user.lifecycle.delete.initiated
• group.lifecycle.delete
• user.lifecycle.activate
• user.lifecycle.deactivate
The Cloud Identity Engine uses a filter to retrieve only these events, it does
not receive any other events for this scope.
• okta.users.read
• okta.users.read.self

If you want the Cloud Identity Engine to collect enterprise application data so
that it is included when you View Directory Data, you must grant consent to
the okta.apps.read scope before you select the option in step 6.

Cloud Identity Engine Getting Started November 2023 79 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 3 | In the Cloud Identity Engine app, select Directories > Add Directory.

Cloud Identity Engine Getting Started November 2023 80 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 4 | Set Up a Cloud Directory and select Okta.

STEP 5 | Select the method you want to use to log in to the Okta directory.
• Auth Code Flow—To make changes to your Okta directory in the Cloud Identity Engine, you
must log in to the Okta directory.
• (Default) Client Credential Flow—By granting the required permissions in advance, you
do not need to log in to the Okta directory to make changes to that directory in the Cloud

Cloud Identity Engine Getting Started November 2023 81 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

Identity Engine. This option requires additional configuration; for more information, refer to
Deploy Client Credential Flow for Okta.

Cloud Identity Engine Getting Started November 2023 82 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 6 | Select whether you want to Collect enterprise applications data so that it displays when you
View Directory Data.

Cloud Identity Engine Getting Started November 2023 83 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 7 | Specify your Okta Directory information to allow the Cloud Identity Engine to connect to
your Okta Directory.

1. Paste your Okta Directory Domain that you copied in step2.9.

2. Paste your Okta Directory Client ID and Client Secret that you copied in step 2.8.

The Client ID must begin with 0.

Cloud Identity Engine Getting Started November 2023 84 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 8 | (Auth Code Flow only) Sign in with Okta by entering your Okta Directory credentials.

When the login is successful, Logged In displays. Palo Alto Networks recommends using the
built-in authorization server. If you have more than one Okta authorization server, repeat the
previous steps for each additional Okta Directory you want to add.

STEP 9 | Click Test Connection to verify your configuration.

When the test is successful, Success displays.

STEP 10 | (Optional) Customize the name the Cloud Identity Engine displays for your Okta Directory.
By default, the Cloud Identity Engine uses the default domain name.

You can use up to 15 lowercase alphanumeric characters (including hyphens, periods,

and underscores) for the directory name in the Cloud Identity Engine. You don't need
to change the name of the directory itself, only the name of the directory in the Cloud
Identity Engine app.

Cloud Identity Engine Getting Started November 2023 85 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 11 | Submit the configuration.

You can now use information from your Okta Directory in the Cloud Identity Engine when
you configure a user- or group-based Security policy rule or with other Palo Alto Networks
applications.

For optimal performance, the Cloud Identity Engine does not support the default Okta
group "Everyone" because Okta does not recommend using this group to define policy
rules.

Deploy Client Credential Flow for Okta

By granting a few read-only permissions for your Okta directory in advance, the Client Credential
Flow option for Okta in the Cloud Identity Engine allows you to use a service account to log
in to your Okta directory in the Cloud Identity Engine. Using a service account is strongly
recommended, as this is a more secure method for directory access and does not require the
account to be associated with a specific user.

You must obtain a new client ID and secret if you have an existing Okta directory
configuration. The client ID and secret for the Okta directory auth code flow (the existing
method) are not compatible with the API service integration that the client credential flow
method uses.

Cloud Identity Engine Getting Started November 2023 86 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 1 | Download the Okta integration app from the Okta Integration Network.
1. In the Okta Administrator Portal, select Applications > API Service Integrations.

2. Click Add Integration.

3. Select the app integration you want to use based on whether you want to enable app
data and click Next.
• If you use application data in your security policy, select the Palo Alto Networks
Cloud Identity Engine (Application-enabled) app. For more information on collecting
application data, see Step 6 in Configure Okta Directory.

Cloud Identity Engine Getting Started November 2023 87 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

• If you do not use application data in your security policy, select the Palo Alto
Networks Cloud Identity Engine app.

To ensure that you select the correct app, either use Find in your browser (Ctrl+
F) to search for the app you want to use or hover over the app to display the full
app name.

STEP 2 | Install and configure the API service integration.

Cloud Identity Engine Getting Started November 2023 88 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 3 | Install & Authorize the API service integration.

The Okta API service integration automatically configures the following required API scopes:
• Users and groups—Read existing users’ profiles and credentials. Read about groups and
their members. Read the signed-in user's profile and credentials.
• Authorization servers—Read about authorization servers.
• (Application-enabled app only)Apps—Read about apps.
• Logs—Read about system log entries.

STEP 4 | Click Copy to clipboard to copy the client secret and store it in a secure location, then click
Done.

The client secret displays only once, so make sure to copy it and store it securely before
clicking Done.

Cloud Identity Engine Getting Started November 2023 89 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 5 | Copy the Okta Domain and the Client ID and store them in a secure location.

You must edit the domain by removing the https:// before pasting it.

STEP 6 | If you have not already done so, activate your Cloud Identity Engine tenant.

STEP 7 | Set up a Cloud Directory and select Okta.

Cloud Identity Engine Getting Started November 2023 90 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 8 | Under Select Connection Flow, select Client Credential Flow.

STEP 9 | Select Collect enterprise applications to display application data when you view directory
data.

If you select this option, you must use the Palo Alto Networks Cloud Identity Engine
(Application-enabled) to ensure the correct permissions.

Cloud Identity Engine Getting Started November 2023 91 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 10 | Paste the information you copied from the Okta management console into the fields as
indicated in the following table.

Okta Managment Console Field Cloud Identity Engine App Field

Okta Domain Domain

Client ID Client ID

Client Secret Client Secret

STEP 11 | Click Test Connection to verify the Cloud Identity Engine can successfully communicate with
your Okta directory.

You must test the connection to submit the configuration.

STEP 12 | (Optional) Customize the name of the directory that displays in the Cloud Identity Engine.
If you want to use a custom name for this directory in the Cloud Identity Engine, enter the
custom name as the Directory Name (Optional).

STEP 13 | Submit your changes and verify your directory information when the Directories page
displays.

Cloud Identity Engine Getting Started November 2023 92 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

Reconnect Okta Directory

If the connection between your Okta directory and the Cloud Identity Engine isn’t active or
you want to make changes to your Okta directory configuration, you can reconnect your Okta
directory to the Cloud Identity Engine.
STEP 1 | Log in to the hub and select the Cloud Identity Engine tenant that contains the Okta
directory you want to reconnect.

STEP 2 | Select Directories.

STEP 3 | Select Actions > Reconnect for the directory you want to reconnect.

Cloud Identity Engine Getting Started November 2023 93 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 4 | Select whether you want to make any changes to your configuration.
• If you want to use a service account to log in to the Okta directory, select the Client
Credential Flow. For more information, refer to step 5 in the documentation on how to
Configure Okta Directory for the Cloud Identity Engine.

• If you want the Cloud Identity Engine to Collect enterprise applications dataso that it is
included when you View Directory Data, select the checkbox. If you don't use enterprise
application data in your security policy or you don't want to collect the data, deselect the
checkbox.

STEP 5 | (Auth Code Flow only) Sign in with Okta using your Okta administrator credentials and grant
permissions for the Cloud Identity Engine to access the directory information.

STEP 6 | (Client credential flow only) Enter the Client ID and Client Secret (or click Restore to restore
the current client secret).

You cannot change the Domain. If you need to change the domain, you must create a
new Okta directory configuration in the Cloud Identity Engine.

STEP 7 | Click Test Connection to confirm the Cloud Identity Engine can access your Okta directory.

Cloud Identity Engine Getting Started November 2023 94 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 8 | (Optional) Customize Directory Name if you want to change the name that the Cloud
Identity Engine displays for this directory in your tenant.

You can use up to 15 lowercase alphanumeric characters (including hyphens, periods,

STEP 9 | Submit your configuration.

Remove Okta Directory

If you no longer need to sync your Okta Directory with the Cloud Identity Engine, you can remove
it from the Cloud Identity Engine.

Cloud Identity Engine Getting Started November 2023 95 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 1 | Remove the Cloud Identity Engine integration from Okta.

1. Log in to the Okta Admin Dashboard.
2. Select Applications > Applications.

3. Select the Cloud Identity Engine integration you want to remove.

4. Select Inactive > Delete.

5. Click Delete Application to confirm that you want to remove the Cloud Identity Engine
integration from Okta.

Cloud Identity Engine Getting Started November 2023 96 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 2 | Remove the Okta Directory from the Cloud Identity Engine app.
1. In the Cloud Identity Engine app, select Directories.
2. Select Actions > Remove.

3. Click Yes to confirm removal of the directory.

Configure Google Directory

When you configure your Google Directory in the Cloud Identity Engine, the Cloud Identity
Engine can access your Google Directory information to identify users and enforce Security
policy.
STEP 1 | If you haven’t already done so, activate the Cloud Identity Engine.

Cloud Identity Engine Getting Started November 2023 97 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 2 | Grant the necessary administrator rights in the Google Admin console for the Cloud Identity
Engine.
1. In the Google Admin console, select Admin roles.
2. Select a role then click Privileges.
3. Select the following privileges then Save your changes:
• Admin console privileges
• Organizational Units > Read
• Users > Read
• Groups
• Services > Mobile Device Management > Manage Devices and Settings
• Services > Chrome Management > Settings > Manage Chrome OS > Devices >
Manage Chrome OS Devices (read-only)
• Domain Settings
• Admin API privileges
• Organization Units > Read
• Users > Read
• Groups
• Groups > Create
• Groups > Read
• Groups > Update
• Groups > Delete
• Billing Management > Billing Read
• Domain Management

Cloud Identity Engine Getting Started November 2023 98 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

Cloud Identity Engine Getting Started November 2023 99 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 3 | Log in to the Google Admin console and configure the Cloud Identity Engine app in the
Google Admin console.
1. Select Security > API controls and click Manage Third-Party App Access.

2. Select Configure new app > OAuth App Name Or Client ID.

3. Enter Palo Alto Networks Cloud Identity Engine Directory Sync and
click Search.

4. Select the Palo Alto Networks Cloud Identity Engine Directory Sync app.
5. Select the OAuth Client ID option if it isn’t already selected then click Select.

Cloud Identity Engine Getting Started November 2023 100 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

6. Select Trusted: Can access all Google services as the App access option then Configure
the app.

Cloud Identity Engine Getting Started November 2023 101 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 4 | Collect the necessary information from the Google Admin console to configure the Google
Directory in the Cloud Identity Engine.
1. Select Account > Account Settings.
2. Copy the Customer ID and store it in a secure location.

STEP 5 | In the Cloud Identity Engine app, select Directories > Add Directory.

Cloud Identity Engine Getting Started November 2023 102 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 6 | Set Up a Cloud Directory and select Google.

Cloud Identity Engine Getting Started November 2023 103 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 7 | Enter your Customer ID that you copied in step 4.

Cloud Identity Engine Getting Started November 2023 104 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 8 | Sign in with Google by entering the Google Admin credentials for the account associated
with the Customer ID.

When the login is successful, Signed In displays.

STEP 9 | Click Test Connection to verify your configuration.

When the test is successful, Success displays.

STEP 10 | (Optional) Customize the name the Cloud Identity Engine displays for your Google Directory.
By default, the Cloud Identity Engine uses the default domain name.

You can use up to 15 lowercase alphanumeric characters (including hyphens, periods,

and underscores) for the directory name in the Cloud Identity Engine.

Cloud Identity Engine Getting Started November 2023 105 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 11 | Submit the configuration.

When you submit the configuration successfully, the Cloud Identity Engine displays the
Directories page.

You can now use information from your Google Directory in the Cloud Identity Engine when
you configure a user- or group-based security policy rule or with other Palo Alto Networks
applications.

Reconnect Google Directory

If the connection between the Cloud Identity Engine and your Google Directory is inactive,
reconnect the Google Directory to the Cloud Identity Engine.
STEP 1 | Log in to the hub and select the Cloud Identity Engine tenant that contains the Google
Directory you want to reconnect.

STEP 2 | Select Directories.

Cloud Identity Engine Getting Started November 2023 106 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 3 | Select Actions > Reconnect.

STEP 4 | Log in to Google and Test Connection to confirm the Cloud Identity Engine can access your
Google Directory.

STEP 5 | (Optional) Customize Directory Name if you want to change the name that the Cloud
Identity Engine displays for this directory in your tenant.

You can use up to 15 lowercase alphanumeric characters (including hyphens, periods,

STEP 6 | Submit your configuration.

Cloud Identity Engine Getting Started November 2023 107 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

Remove Google Directory

If you no longer need to use Google Directory with the Cloud Identity Engine app, revoke
permissions for the Cloud Identity Engine app and remove the Google Directory from the Cloud
Identity Engine app.
STEP 1 | Revoke permissions for the Cloud Identity Engine app in the Google Admin Dashboard.
1. Log in to the Google Admin Dashboard.
2. Select Security > API Controls > App Access Control.
3. Select the Cloud Identity Engine app and Change access to Blocked: Can’t access any
Google service.

4. Click Change to confirm your changes.

Cloud Identity Engine Getting Started November 2023 108 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 2 | Remove the Google Directory from the Cloud Identity Engine app.
1. Log in to the hub and select the Cloud Identity Engine app.
2. Select Directories then select Actions > Remove.

3. Click Yes to confirm removal of the directory.

Configure SCIM Connector for the Cloud Identity Engine

As part of the Cloud Identity Engine, Directory Sync connects to your directory to obtain user
and group information for user identification and enforcement for group-based and user-based
Security policy.
Configuring the System for Cross-Domain Identity Management (SCIM) protocol for Directory
Sync in the Cloud Identity Engine allows you to customize what attributes Directory Sync collects
from your directory. You can add or remove attributes in your directory portal to customize which
attributes you want to share with the Cloud Identity Engine for user and group identification.

The SCIM gallery app does not support the userType attribute.

Cloud Identity Engine Getting Started November 2023 109 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

Configuring your directory to use the SCIM Connector with the Cloud Identity Engine requires
completing all necessary steps in both the Cloud Identity Engine and in the portal for your
specific SCIM client. If you encounter any issues with the SCIM Connector setup, learn how to
Troubleshoot Cloud Identity Engine Issues.

Cloud Identity Engine Getting Started November 2023 110 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 1 | Set up SCIM Connector in the Cloud Identity Engine app and complete the predeployment
steps for your SCIM client.
1. Complete the predeployment steps for your SCIM client.
• Configure Azure Active Directory for SCIM Connector
• Configure PingFederate for SCIM Connector
• Configure Okta Directory for SCIM Connector
2. In the Cloud Identity Engine app, select Directory Sync > Directories > Cloud Directory
> Set Up > SCIM.

3. Select the SCIM Client you want to use:

• Azure AD—Configure an Azure Active Directory to use the SCIM Connector. Be sure
to complete the predeployment steps in the Azure Portal to Configure Azure Active
Directory for SCIM Connector.
• PingFederate—Configure a PingFederate server to use the SCIM Connector. Be
sure to complete the predeployment steps in the PingFederate portal to Configure
PingFederate for SCIM Connector.
• Okta—Configure an Okta Directory to use the SCIM Connector. Be sure to complete
the predeployment steps in the Okta Administrator Dashboard to Configure Okta
Directory for SCIM Connector.

Cloud Identity Engine Getting Started November 2023 111 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 2 | In the portal for your SCIM client, obtain the necessary information you must enter to
configure the SCIM Connector in the Cloud Identity Engine.
• Configure Azure Active Directory for SCIM Connector
• Configure PingFederate for SCIM Connector
• Configure Okta Directory for SCIM Connector

Cloud Identity Engine Getting Started November 2023 112 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 3 | Enter the necessary information in the Cloud Identity Engine to configure your directory to
use SCIM with Directory Sync.
1. Enter the Directory ID and Directory Name you copied from your directory portal.
• For the Directory ID in the Cloud Identity Engine:
• For Azure, use the Tenant ID.
• For Ping, use the System ID.
• For Okta, use the Directory Name.

Palo Alto Networks recommends using the directory name; however, you
can use any name for the Directory ID.
• For the Directory Name in the Cloud Identity Engine:
• For Azure, use the Primary Domain.
• For Ping, use the User.
• For Okta, use the Okta Domain.

2. Copy the Base URL and save it in a secure location.

Cloud Identity Engine Getting Started November 2023 113 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

3. Click Generate Bearer Token then copy the token that the Cloud Identity Engine
generates for your Authorization Method and save it in a secure location.

Before continuing to the next step and submitting the changes, make sure to
save the token in a location where you can easily retrieve it to enter it in your
SCIM client directory portal. If you submit the changes in the Cloud Identity
Engine app before you generate and save the token, you must generate a new
token in the Cloud Identity Engine app and enter the new token in the directory
portal.

Cloud Identity Engine Getting Started November 2023 114 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

4. Click Submit to commit your changes.

You must click Submit to create the configuration in the Cloud Identity Engine
app before continuing the configuration in the IdP, then return to the Cloud
Identity Engine app and complete a full sync of the entire directory before the
configuration is complete.

Cloud Identity Engine Getting Started November 2023 115 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 4 | Select the check box and click OK to confirm your acknowledgment of the postconfiguration
requirements then return to the portal for your SCIM client to complete the
postconfiguration steps.

• Configure Azure Active Directory for SCIM Connector

• Configure PingFederate for SCIM Connector
• Configure Okta Directory for SCIM Connector
After completing the steps in both the Cloud Identity Engine app and your directory portal,
you can now use the SCIM Connector to collect attributes from your directory. To learn which
attributes the SCIM Collector collects, see the Cloud Identity Engine Attributes.

Configure Azure Active Directory for SCIM Connector

You must also complete the required steps in the Azure Active Directory (AD) Portal to complete
the SCIM Connector configuration. For more information, refer to the documentation for the
Azure AD SCIM Connector.

Cloud Identity Engine Getting Started November 2023 116 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 1 | Complete the predeployment steps to add a new application in the Azure Portal then obtain
the necessary information to configure SCIM for Directory Sync.

Azure Active Directory (AD) SCIM provisioning requires that the group attribute
displayName is unique. If more than one group uses the displayName attribute,
the initial sync isn't successful and the data for the duplicate group names might only
be partially retrievable. If you don't use the duplicate groups in Security policy, then
you can proceed. If you use the duplicate group names in Security policy, you must
resolve the issue by modifying the displayName attribute in your Azure Active
Directory (AD) to ensure that it’s unique.

1. Log in to the Azure Portal.

2. Select Overview (if it isn’t already selected), copy the Tenant ID, and save it in a secure
location.

3. Copy the Primary domain and save it in a secure location.

4. Select Enterprise applications > All applications > New application.

5. To Search application(s), enter Palo Alto Networks SCIM Connector.

Cloud Identity Engine Getting Started November 2023 117 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

6. Select Palo Alto Networks SCIM Connector and Create the application.

If you encounter an error when creating the application, refer to Troubleshoot Cloud
Identity Engine Issues.
7. Return to the Cloud Identity Engine app to continue the SCIM Connector setup.

You must complete the setup in the Cloud Identity Engine before you can
successfully Test Connection in the Azure Portal.
8. After you submit the SCIM Connector configuration in the Cloud Identity Engine app,
continue to the next step.

Cloud Identity Engine Getting Started November 2023 118 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 2 | Configure your Azure Active Directory (AD) to use SCIM Connector to connect to the Cloud
Identity Engine.
1. Log in to the Azure Active Directory (AD) Portal.
2. Select Enterprise Applications then select the Palo Alto Networks SCIM Connector
application.
3. Select Provisioning and click Get Started.

4. Select Automatic as the Provisioning Mode.

5. Enter the following information from steps 3.2 and 3.3 in the fields as indicated in the
following table:

Copy from Cloud Identity Engine Enter in Azure Portal

Base URL Tenant URL

Cloud Identity Engine Getting Started November 2023 119 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

Copy from Cloud Identity Engine Enter in Azure Portal

Authorization Method Bearer token Secret Token

6. Save your changes.

7. (Optional but recommended) Click Test Connection to confirm that the Azure Active
Directory (AD) can successfully communicate with the Cloud Identity Engine app.

You must complete the setup in the Cloud Identity Engine before you can
successfully Test Connection in the Azure Portal.

Cloud Identity Engine Getting Started November 2023 120 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

Cloud Identity Engine Getting Started November 2023 121 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 3 | Manage the users, groups, and attributes that the Azure Active Directory (AD) provisions to
the Cloud Identity Engine app.
1. In the Azure Portal, select Provisioning > Edit Provisioning.

2. Select Mappings then select whether you want to edit the attributes when you Provision
Active Directory Groups or Provision Active Directory Users.

For optimal performance, Palo Alto Networks strongly recommends provisioning

only the groups that you want to use the SCIM connector. If you are using
Prisma Access with the Cloud Identity Engine, make sure that you provision
any groups that you use in your security policy to ensure it applies your security
policy correctly.

3. Delete any attributes that you don’t want to provide to the Cloud Identity Engine app.

Cloud Identity Engine Getting Started November 2023 122 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

4. (Optional) Click Add new mapping to add a new mapping that you want Azure Active
Directory (AD) to use to identify users for the Cloud Identity Engine.

5. (Optional) By default, the Cloud Identity Engine only synchronizes the users and groups
you assign to this app in the Azure Portal. You can optionally synchronize all users and
groups (Settings > Sync all users and groups).

Cloud Identity Engine Getting Started November 2023 123 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

6. Save your changes when they are complete.

Cloud Identity Engine Getting Started November 2023 124 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 4 | Allow Azure Active Directory (AD) to provide the information to the Cloud Identity Engine
and verify that the Cloud Identity Engine uses SCIM to obtain the Azure Active Directory
(AD) information.
1. In the Azure Portal, verify you’ve completed all the provisioning steps in the
documentation for the Azure AD SCIM Connector.
2. Select the name of the app that you configured in the first step then select Manage >
Provisioning > Start Provisioning to begin providing attributes to the Cloud Identity
Engine.

3. Wait until the sync is complete (Initial cycle completed) then View provisioning details.

4. Verify that the synchronization was successful by confirming the timestamps

(Completed and Steady state achieved) and verifying that the number of Users and
Groups displays.

Cloud Identity Engine Getting Started November 2023 125 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

If the number of users and groups does not display, refer to Troubleshoot Cloud
Identity Engine Issues.
5. In the Cloud Identity Engine app, verify that the SCIM Change Timestamp for your Azure
SCIM directory populates on the Directories page.
6. Select Actions > Full Sync to complete a full synchronization of your Azure Active
Directory with Directory Sync for the Cloud Identity Engine.

You must successfully complete a full sync in the Cloud Identity Engine app to
complete the SCIM Connector setup.

Configure PingFederate for SCIM Connector

Complete the following steps to configure the Cloud Identity Engine to use the SCIM Connector
to connect to your PingFederate server. Be sure to complete all the steps in the PingFederate
SCIM Connector documentation as well.

Cloud Identity Engine Getting Started November 2023 126 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 1 | Set up the directory for SCIM Connector.

1. Log in to the PingFederate Portal and select Data Stores then click Add New Data Store.
2. Enter a Data Store Name and select Directory (LDAP) as the Type.
3. Enter the Hostname(s) (including the port number).
4. Enter a valid email address as the User DN.
5. Click Test Connection to verify the connection is successful.

If the connection test isn't successful, verify that the hostname and email
address are valid. Some directories, such as PingDirectory, format the User DN
as cn=administrator. In this case, select Use LDAPS and use a different
port number, such as 1636, instead of the default port number of 389.

6. Copy and edit the System ID then paste the edited value in the Cloud Identity Engine
app as the Directory ID.

You must edit the System ID to remove the LDAP- that precedes the Directory
ID value before entering the value as the Directory ID in the Cloud Identity
Engine app.

Cloud Identity Engine Getting Started November 2023 127 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

7. Copy and edit the User value and edit the edited value in the Cloud Identity Engine app
as the Directory Name.
For the Directory Name, use the domain name that follows the username in
the User column (for the example below, the Directory Name is the value after
Administrator@).

Cloud Identity Engine Getting Started November 2023 128 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 2 | Provision the SCIM connection.

1. Select SP Connections > Create Connection.
2. Select Do not use a template for this connection.
3. Select Outbound provisioning.
4. Select SCIM Connector.

If the SCIM Connector option isn’t available, confirm that you completed all
substeps in the previous step correctly.

5. Select General Info and enter a Partner’s Entity ID (Connection ID) and a Connection
Name.
6. (Optional but recommended) To decrease the amount of time necessary for the initial
sync, select Outbound Provisioning > Configure Provisioning > Manage Channels >
Channel Configuration > Channel Info and increase the value for Max Threads.
The range is recommended range is 1–5; for optimal sync time, Palo Alto Networks
recommends 5 as the value for Max Threads.

Cloud Identity Engine Getting Started November 2023 129 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 3 | Specify the information from the Cloud Identity Engine for the SCIM connection
provisioning.
1. Select Outbound Provisioning > Configure Provisioning.
2. Select the SP Connections Target tab and enter the Base URL that you copied from the
Cloud Identity Engine.

Cloud Identity Engine Getting Started November 2023 130 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

Cloud Identity Engine Getting Started November 2023 131 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

3. Select Applications > SP Connections > SP Connection > Configure Channels > Manage
Channels.
4. Select OAuth 2 Bearer Token as the Authentication Method and enter the Bearer
Token that you copied from the Cloud Identity Engine as the Access Token.

Cloud Identity Engine Getting Started November 2023 132 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

Cloud Identity Engine Getting Started November 2023 133 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

5. Select Common Name as the Group Name Source.

6. Select Use patch for group updates.

STEP 4 | Configure the channels for the SCIM connection.

1. Select Configure Channels and Create a channel.
2. Enter a Name for the channel and select the directory you want to configure in the
Cloud Identity Engine as the Active Data Store.
3. Select Source Location and enter the Base DN for your directory.
4. Enter the Group DN for the source of the user and group mappings or
create a filter that specifies which entries to use. For example, Group

Cloud Identity Engine Getting Started November 2023 134 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

DN:CN=Chicago,OU=Illinois,DC=example,DC=com syncs all users and groups in

the Chicago group.
5. If you use a Group DN and your directory contains nested groups, select Nested Search.

Retention of nested group hierarchies from PingFederate servers through the

SCIM Connector is not available. If your directory contains nested groups and
you want to sync all of the child users and groups, you must select the method
you want to use to ensure the Cloud Identity Engine correctly collects all users
and groups in the parent group.
• Add the parent group as a member of a different group and use that
container group as the Group DN. For example, configure the parent group in
a directory with the name root in an OU with the name location and use
the value CN=root,OU=location,DC=paloaltonetworks,DC=com
for the Group DN.
• Add a filter that includes all members of the parent group (for example,
(objectClass=user),(objectClass=group) includes all users and
groups in the Base DN DC=paloaltonetworks,DC=com).
6. Select Attribute Mapping and Edit the userName* to userPrincipalName.

7. Save the connection and continue the configuration in the Cloud Identity Engine.

STEP 5 | Complete the postdeployment steps to configure the PingFederate server for the SCIM
Connector.
1. Verify that you’ve completed all of the provisioning steps.
2. In the PingFederate Portal, either commit a directory change or enter the following
command: pingfederate/bin/provmgr.sh --reset-all -c [channel
number] command.

To determine the channel number, use the ./provmgr.sh --show-

channels command.
3. In the Cloud Identity Engine, verify the app populates the SCIM Change Timestamp then
complete a full sync (Actions > Full Sync).

Configure Okta Directory for SCIM Connector

You must also complete the required steps in the Okta Administrator Dashboard to complete the
SCIM Connector configuration. For more information, refer to the documentation for the Okta
Directory.
The SCIM Connector for Okta directory supports the following capabilities:
• Create users

Cloud Identity Engine Getting Started November 2023 135 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

• Update user attributes

• Deactivate users
• Import users
• Import groups
• Sync password
• Group push

Cloud Identity Engine Getting Started November 2023 136 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 1 | Log in to your Okta Administrator Dashboard and add the integration using the Okta
Integration Network.
1. Log in to the Okta Administrator Dashboard, select Applications, and click Browse App
Catalog.

2. Enter Palo Alto Networks SCIM as the search query.

Cloud Identity Engine Getting Started November 2023 137 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

3. Select the app and click Add Integration.

Cloud Identity Engine Getting Started November 2023 138 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

4. Optionally change any settings, such as the Application Label, then click Done.

5. Copy your Okta domain name.

Cloud Identity Engine Getting Started November 2023 139 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 2 | Configure the Okta integration to communicate with the Cloud Identity Engine.
1. Select Provisioning.

2. Click Configure API Integration.

Cloud Identity Engine Getting Started November 2023 140 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

3. Select Enable API integration.

Cloud Identity Engine Getting Started November 2023 141 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

4. Enter the URL you copied in step 3.2 as the Base URL.

Cloud Identity Engine Getting Started November 2023 142 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

5. Enter the token you copied in step 3.3 as the API Token.

Cloud Identity Engine Getting Started November 2023 143 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

6. Click Test API Credentials to verify the Okta directory can successfully communicate
with the Palo Alto Networks SCIM integration then click Save.

Cloud Identity Engine Getting Started November 2023 144 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

If the test is not successful, verify that you successfully submitted your
configuration in the Cloud Identity Engine app in step 3.4.

Cloud Identity Engine Getting Started November 2023 145 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 3 | Assign the Okta integration to the users you want to include in your Security policy.
1. Edit the settings to assign Provisioning to App.

2. Enable all the options and Save your changes.

Cloud Identity Engine Getting Started November 2023 146 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

3. Select the Push Groups tab then click the Find Groups button to Find groups by name.

Cloud Identity Engine Getting Started November 2023 147 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

4. Type the name of a group to Push groups by name.

5. Select the group and Save your changes.

Cloud Identity Engine Getting Started November 2023 148 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

Cloud Identity Engine Getting Started November 2023 149 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 4 | Verify the configuration.

1. In the Cloud Identity Engine app, select Directories and verify that the timestamp
displays in the SCIM Change Timestamp column for the Okta SCIM directory.

2. Select Actions > Full Sync for the directory.

The configuration isn’t complete until you’ve successfully completed a full sync
for the entire directory.

Configure a Custom Okta App Integration for SCIM Connector

Palo Alto Networks strongly recommends using the Okta gallery app to Configure Okta Directory
for SCIM Connector. If you want to use a custom Okta app integration, complete the following
steps.

Cloud Identity Engine Getting Started November 2023 150 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 1 | Log in to your Okta Administrator Dashboard and Create an app integration.
1. Select SAML 2.0 as the Sign-in method and click Next.

2. Enter a unique App Name and optionally enter any other information (such as an App
Logo or App Visibility) then click Next.

3. Enter the Single-sign on URL where you want to redirect users to sign in and the
Audience URI (SP Entity ID) then click Next.

Cloud Identity Engine Getting Started November 2023 151 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

4. Select the option that best reflects your use of the SCIM Connector app integration and
click Finish.

Cloud Identity Engine Getting Started November 2023 152 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 2 | Configure the Okta SCIM Connector app integration.

1. Select General (if it is not already selected) and Edit the App Settings.

2. Select SCIM as the Provisioning method and Save your changes.

Cloud Identity Engine Getting Started November 2023 153 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 3 | Configure provisioning for the Okta SCIM Connector app integration.
1. Select Provisioning and Edit the SCIM Connection settings.

2. Enter the Base URL you copied from the Cloud Identity Engine app in Step 3.2 as the
SCIM connector base URL.

Cloud Identity Engine Getting Started November 2023 154 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

3. Enter userName as the Unique identifier field for users.

4. Select the Supported provisioning actions you want to use to allow users to
authenticate.

Cloud Identity Engine Getting Started November 2023 155 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

5. Select HTTP Header as the Authentication Mode.

6. Enter the Bearer Token you copied from the Cloud Identity Engine app in Step 3.3 and
Save your changes.

7. Select Provisioning and Edit the settings.

Cloud Identity Engine Getting Started November 2023 156 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

8. Select at least one of the options for Provisioning to App and Save your changes.

Cloud Identity Engine Getting Started November 2023 157 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 4 | Assign the users and groups that you want to use the Okta SCIM Connector app integration.
1. Select Assignments > Assign > Assign to People to assign the users you want to use
Okta SCIM.

2. Select the users for whom you want to Assign this app.

3. Review and edit the information as needed then click Save and Go Back.

Cloud Identity Engine Getting Started November 2023 158 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

4. Verify the users you added display on the Assignments tab.

5. Select Push Groups then Find groups by name to assign groups to this app.

Cloud Identity Engine Getting Started November 2023 159 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

6. Select the group you want to assign to this app then click Save and add another. Repeat
as needed until all the groups you want to assign to this app have been selected then
click Save.

Cloud Identity Engine Getting Started November 2023 160 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

STEP 5 | Verify the configuration.

1. Select Reports > System Log.

2. Verify that log results display to confirm that the SCIM Connector can successfully
communicate with your directory. If no results populate, the SCIM Connector cannot

Cloud Identity Engine Getting Started November 2023 161 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

communicate with your directory; verify the configuration and make any needed
changes, then check the log results again.

Verify that this step is complete before continuing to the next step. Until the
log results display in the Okta Administrator Dashboard, a full sync cannot
successfully complete for the directory in the Cloud Identity Engine app.
3. In the Cloud Identity Engine app, select Directories and verify that the timestamp
displays in the SCIM Change Timestamp column for the Okta SCIM directory.

4. Select Actions > Full Sync for the directory.

Cloud Identity Engine Getting Started November 2023 162 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

The configuration is not complete until you have successfully completed a full
sync for the entire directory.

Cloud Identity Engine Getting Started November 2023 163 ©2023 Palo Alto Networks, Inc.
Choose Your Directory Type

Cloud Identity Engine Getting Started November 2023 164 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine
App
After you have configured the Cloud Identity Engine, you can add, rename, or delete tenants
and collect any custom attributes in your directory, as well as view a list of the default attribute
formats. You can also view the comprehensive information that the Cloud Identity Engine collects.
To ensure consistent security policy enforcement, you can configure segments for granular
data sharing across your network You can also configure context-based groups that update
membership automatically based on criteria that you select.
If you use Device-ID and third-party devices to identify IoT devices on your network, you can use
the Cloud Identity Engine to share device mappings with your Prisma Access Nodes.
If you use dynamic address groups for your tag-based security policy, you can use the Cloud
Identity Engine to collect and redistribute mappings across your network to help ensure
consistent policy enforcement.
• Cloud Identity Engine Tenants
• Cloud Identity Engine Attributes
• Collect Custom Attributes with the Cloud Identity Engine
• View Directory Data
• Cloud Identity Engine User Context
• Create a Cloud Dynamic User Group
• Configure Third-Party Device-ID
• Configure an IP Tag Cloud Connection

165
Manage the Cloud Identity Engine App

Cloud Identity Engine Tenants

When you activate the Cloud Identity Engine, it automatically creates a tenant. Each tenant can
collect attributes from multiple directory types for multiple domains in a single region. If you want
to collect attributes for multiple regions, create multiple tenants in the Cloud Identity Engine app.
You can also create multiple tenants to segment or isolate specific attributes.

You must have an App Administrator role to create, rename, or delete tenants.

Create Cloud Identity Engine Tenants

If you want to isolate your directory data, or allow different Palo Alto Networks cloud applications
and services to access different sets of directory data, you can create multiple Cloud Identity
Engine tenants in the hub.
STEP 1 | Log in to the hub.

Cloud Identity Engine Getting Started November 2023 166 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 2 | Select Tenant Management.

Cloud Identity Engine Getting Started November 2023 167 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 3 | Select Add Tenant.

Cloud Identity Engine Getting Started November 2023 168 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 4 | Enter a Name for the tenant and select a Business Vertical.

STEP 5 | (Optional) To enter custom support contact information, select Use custom and enter the
contact information.
You can enter up to 255 alphanumeric characters.

Cloud Identity Engine Getting Started November 2023 169 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 6 | Click Add Tenant.

The Hub lists new tenants at the bottom of the list of tenants.

View Cloud Identity Engine Tenants

Tenants display in the order in which they were created, with the most recently created tenant at
the bottom of the list.
STEP 1 | Log in to the hub.

Cloud Identity Engine Getting Started November 2023 170 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 2 | Select Tenant Management.

Cloud Identity Engine Getting Started November 2023 171 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 3 | By default, the list of tenants displays as collapsed; click the arrow to display the full tenant
list.

Cloud Identity Engine Getting Started November 2023 172 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 4 | Select the tenant you want to view.

Synchronize Cloud Identity Engine Tenants

There are two ways that the Cloud Identity Engine synchronizes changes to your directory
attributes:
• A full sync, which is a complete sync of the entire directory.
• A sync of just the changes to the directory since the last successful sync, which takes much less
time to complete (Not supported with Google Directory).
By default, the Cloud Identity Engine app synchronizes the directory attributes:
• Every five minutes with the changes since the last successful sync (Not supported with Google
Directory) unless a sync is already in progress.
• Weekly with a complete sync of all configured directories (Not supported with Google
Directory).

Cloud Identity Engine Getting Started November 2023 173 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

• Based on the schedule you select (Google Directory only).

The time to synchronize data depends significantly on the number of changes, the size of
the directory, and the amount of group nesting.

To refresh your Cloud Identity Engine tenant with any recent changes in your directory before
that time, you can select how you want to synchronize changes to the attributes for your
configured domains.

Synchronize All Attributes

Synchronizing all attributes (a full sync) is recommended if you are experiencing issues or lose
connectivity.

For on-premises directories, all agents and domains for the tenant must be active for the
sync to complete successfully.

STEP 1 | Log in to the hub and select the Cloud Identity Engine app.

STEP 2 | Select the directory you want to synchronize, then select Directories.

Cloud Identity Engine Getting Started November 2023 174 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 3 | Select Actions > Full Sync to initialize the synchronization for the directory type you want to
synchronize instantly.

Cloud Identity Engine Getting Started November 2023 175 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

For an on-premises Active Directory, click Full Sync.

The synchronization starts immediately and a confirmation message (Sync started)

displays. The sync may take some time to complete, so make sure you click Full Sync only
once. If a synchronization is currently in progress when you try to synchronize, a warning
message (Sync in progress) displays at the top of the screen.

STEP 4 | To confirm the synchronization is complete, verify the Sync Status is Success.

Synchronize Directory Changes

You can sync just the changes to your directory, which is much faster than a full sync of your
directory. By default, the Cloud Identity Engine syncs changes for most attributes every five
minutes unless a sync is already in progress.
For Azure Active Directory (Azure AD) and Okta, the Cloud Identity Engine syncs attributes for
users and groups every five minutes; for Azure AD, a sync for devices occurs daily if the previous

Cloud Identity Engine Getting Started November 2023 176 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

device sync required less than 24 hours to complete. If completing the device sync required more
than 24 hours, the next sync occurs at the interval of the duration for the previous device sync
(for example, if the previous device sync required 26 hours, then the next sync would occur 26
hours from the previous successful sync).
STEP 1 | If you have not already done so, configure a directory.

Cloud Identity Engine Getting Started November 2023 177 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 2 | After making changes to your directory, select Actions > Sync Changes to sync the changes
for your directory.

Cloud Identity Engine Getting Started November 2023 178 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

For an on-premises Active Directory, click Sync Changes.

The sync may take some time to complete, so make sure you click Sync Changes
only once. We recommend a full sync of your directory if you lose connectivity or are
experiencing issues. To sync the entire directory, Synchronize All Attributes in a full
sync. If a full sync is in progress, you cannot sync changes. After a full sync completes
in the Cloud Identity Engine app, the firewall must also complete a full sync.

Set Synchronization Interval

This sync option is available for Google Directory only.

STEP 1 | Log in to the hub and select the Cloud Identity Engine app.

STEP 2 | Select the tenant you want to synchronize, then select Directories.

Cloud Identity Engine Getting Started November 2023 179 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 3 | Click Sync Every: for the directory type interval that you want to change and select the
interval.
• 6 Hours
• 12 Hours
• 24 Hours (Default)

After you select an interval, a confirmation message displays at the top of the screen.

Synchronize Attributes Instantly

This sync option is available for Google Directory only.

STEP 1 | Log in to the hub and select the Cloud Identity Engine app.

STEP 2 | Select the tenant you want to synchronize, then select Directories.

Cloud Identity Engine Getting Started November 2023 180 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 3 | Sync Now to initialize the synchronization for the directory type you want to synchronize
instantly.
The synchronization starts immediately and a confirmation message (Sync started)
displays. If a synchronization is currently in progress when you try to synchronize, a warning
message (Sync in progress) displays at the top of the screen.

STEP 4 | To confirm the synchronization is complete, verify the Sync Status is Success.

Rename Cloud Identity Engine Tenants

If you want to change the name of a Cloud Identity Engine tenant after you create it, you can
rename it in the Cloud Identity Engine app.
STEP 1 | Log in to the hub.

STEP 2 | Select Common Services > Tenant Management.

Cloud Identity Engine Getting Started November 2023 181 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 3 | Select the tenant you want to rename then click Edit Tenant.

A pop-up displays to allow you to edit the name of the tenant.

You cannot change the region. If you need to change the region for an tenant, create a
new tenant.

Cloud Identity Engine Getting Started November 2023 182 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 4 | Enter the new Name and confirm the change by clicking Save.

A confirmation message displays to indicate that the tenant was successfully renamed.

Delete Cloud Identity Engine Tenants

If you no longer need to use an tenant, you can delete it as long as no other application is using it.
If the tenant is currently used by another app, an error message displays when you try to delete
the tenant.
STEP 1 | (On-premises Active Directory only)Stop the agent’s connection with the Cloud Identity
Engine and Remove the Cloud Identity Agent.

STEP 2 | Log in to the hub.

STEP 3 | Select Common Services > Tenant Management.

Cloud Identity Engine Getting Started November 2023 183 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 4 | Select the tenant and click Delete Tenant.

STEP 5 | Confirm that you want to delete the tenant.

Cloud Identity Engine Getting Started November 2023 184 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Delete Domains or Directories from Cloud Identity Engine Tenants

The procedure for deleting a domain from the Cloud Identity Engine varies depending on whether
you are deleting a domain for an Active Directory (AD) configuration or for a cloud-based
directory.
• Delete Active Directory Domains
• Delete Cloud-Based Directories

Delete Active Directory Domains

To delete a domain from your Cloud Identity Engine tenant, first delete it from the agent
configuration then delete it from the Cloud Identity Engine app on the hub.
STEP 1 | Launch the agent and select LDAP Configuration.

STEP 2 | From the list of Servers, select the domain you want to delete and Delete it.

STEP 3 | Commit the changes.

You must delete the domain from the Cloud Identity agent configuration before you delete it
from the Cloud Identity Engine app. Otherwise, it will be re-added on the next synchronization.

STEP 4 | Log in to the hub and select the Cloud Identity Engine app.

STEP 5 | Select the tenant with the domain you want to delete, then select Directory.

Cloud Identity Engine Getting Started November 2023 185 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 6 | Remove the domain then Confirm the deletion of the domain.

Delete Cloud-Based Directories

STEP 1 | Log in to the hub and select the Cloud Identity Engine app.

STEP 2 | Select the tenant with the domain you want to delete, then select Directory.

Cloud Identity Engine Getting Started November 2023 186 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 3 | Select Actions then Remove the directory.

STEP 4 | Click Yes to confirm the deletion of the directory.

Cloud Identity Engine Getting Started November 2023 187 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Cloud Identity Engine Attributes

An attribute is a unique identifier, such as a Distinguished Name, that correlates to a specific
object in the directory, which can be a user, a computer, or another network entity. If your
directory uses custom attributes that do not use the following formats, specify the custom
formats in the Cloud Identity Engine app (see Collect Custom Attributes with the Cloud Identity
Engine).
• On-Premises Active Directory
• Azure Active Directory
• SCIM Directory
• Okta Directory
• Google Directory
• On-Premises OpenLDAP

On-Premises Active Directory

You can collect the following types of default attributes and their associated Active Directory
fields:
• User Attributes
• Organizational Unit (OU) Attributes
• Group Attributes
• Container Attributes
• Computer Attributes

User Attributes

Palo Alto Networks Attribute Active Directory Field

Admin Count adminCount

Common-Name cn

CompanyName companyName

Country co

Department department

Distinguished Name dn

Groups memberOf

Last Login lastLogon

Cloud Identity Engine Getting Started November 2023 188 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Palo Alto Networks Attribute Active Directory Field

Last Logon Time lastLogonTimestamp

Location l

MSDSAllowedDelegatedTo msDS-AllowedToDelegateTo

MSDSAllowedToActOnBehalfOfOtherIdentity msDS-
AllowedToActOnBehalfOfOtherIdentity

MSDSSupportedEncryptionTypes msDS-SupportedEncryptionTypes

Mail mail

If you do not configure a value

for the Mail attribute, the Cloud
Identity Engine uses the value of
the User Principal Name.

Manager manager

NETBIOS Name nETBIOSName

Name displayName

Object Class objectClass

Primary Group ID primaryGroupID

SAM Account Name sAMAccountName

SID objectSid

SID History sIDHistory

Service Principal Name servicePrincipalName

Title title

Unique Identifier objectGUID

User Principal Name userPrincipalName

User Account Control userAccountControl

When Changed whenChanged

Cloud Identity Engine Getting Started November 2023 189 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Organizational Unit (OU) Attributes

Palo Alto Networks Attribute Active Directory Field

Canonical Name canonicalName

Common-Name cn

Distinguished Name dn

Name displayName

Object Class objectClass

Unique Identifier objectGUID

When Changed whenChanged

Group Attributes

Palo Alto Networks Attribute Active Directory Field

Admin Count adminCount

Common-Name cn

Distinguished Name dn

Group Type groupType

Groups memberOf

Mail mail

If you do not configure a value

for the Mail attribute, the Cloud
Identity Engine uses the value of
the User Principal Name.

Member member

Name name

Object Class objectClass

SAM Account Name sAMAccountName

SID objectSid

Cloud Identity Engine Getting Started November 2023 190 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Palo Alto Networks Attribute Active Directory Field

Unique Identifier objectGUID

When Changed whenChanged

WhenCreated whenCreated

Container Attributes

Palo Alto Networks Attribute Active Directory Field

Canonical Name canonicalName

Common-Name cn

Distinguished Name dn

Name displayName

Object Class objectClass

Unique Identifier objectGUID

WhenChanged whenChanged

WhenCreated whenCreated

Computer Attributes

Palo Alto Networks Attribute Active Directory Field

Admin Count adminCount

Common-Name cn

Distinguished Name dn

Groups memberOf

Host Name dNSHostName

Last Login lastLogon

Last Logon Time lastLogonTimestamp

MSDSAllowedDelegatedTo msDS-AllowedToDelegateTo

Cloud Identity Engine Getting Started November 2023 191 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Palo Alto Networks Attribute Active Directory Field

MSDSAllowedToActOnBehalfOfOtherIdentity msDS-
AllowedToActOnBehalfOfOtherIdentity

MSDSSupportedEncryptionTypes msDS-SupportedEncryptionTypes

NETBIOS Name nETBIOSName

Name displayName

OS operatingSystem

OS Service Pack operatingSystemServicePack

OS Version operatingSystemVersion

Object Class objectClass

Primary Group ID primaryGroupID

SAM Account Name sAMAccountName

SID objectSid

SID History sIDHistory

Serial Number serialNumber

Service Principal Name servicePrincipalName

Unique Identifier objectGUID

User Principal Name userPrincipalName

UserAccountControl userAccountControl

WhenChanged whenChanged

WhenCreated whenCreated

Azure Active Directory

You can collect the following types of default attributes and their associated Active Directory
fields:
• User Attributes
• Group Attributes
• Computer Attributes
• Application Attributes

Cloud Identity Engine Getting Started November 2023 192 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

User Attributes

Palo Alto Networks Attribute Azure Active Directory Field

BusinessPhones businessPhones

CompanyName companyName

Country country

Department department

EmployeeId employeeId

FaxNumber faxNumber

Given Name givenName

Groups memberOf

IsResourceAccount isResourceAccount

LastPasswordChangeDateTime lastPasswordChangeDateTime

Location officeLocation

Mail mail

If you do not configure a value

for the Mail attribute, the Cloud
Identity Engine uses the value of
the User Principal Name.

Manager manager

MobilePhone mobilePhone

Name displayName

OnPremisesDistinguishedName onPremisesDistinguishedName

OnPremisesExtensionAttributes onPremisesExtensionAttributes

OnPremisesImmutableId onPremisesImmutableId

OnPremisesLastSyncDataTime onPremisesLastSyncDateTime

OnPremisesProvisioningErrors onPremisesProvisioningErrors

OnPremisesSamAccountName onPremisesSamAccountName

Cloud Identity Engine Getting Started November 2023 193 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Palo Alto Networks Attribute Azure Active Directory Field

OnPremisesSyncEnabled onPremisesSyncEnabled

OtherMails otherMails

PasswordPolicies passwordPolicies

PasswordProfile passwordProfile

PostalCode postalCode

PreferredLanguage preferredLanguage

SignInSessionsValidFromDateTime signInSessionsValidFromDateTime

State state

StreetAddress streetAddress

Sur Name surname

Title jobTitle

Unique Identifier objectGUID

UsageLocation usageLocation

User Principals Name userPrincipalName

UserAccountControl accountEnabled

UserType userType

WhenChanged createdDateTime

onPremisesSecurityIdentifier onPremisesSecurityIdentifier

onPremisesUserPrincipalName onPremisesUserPrincipalName

Group Attributes

Palo Alto Networks Attribute Azure Active Directory Field

Classification classification

DeletedDateTime deletedDateTime

Description description

Cloud Identity Engine Getting Started November 2023 194 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Palo Alto Networks Attribute Azure Active Directory Field

Group Type groupTypes

Groups memberOf

Mail mail

If you do not configure a

value for the Mail attribute,
the Cloud Identity Engine
uses the value of the User
Principal Name.

Mail Nick Name mailNickname

MailEnabled mailEnabled

Member member

Name displayName

OnPremisesLastSyncDateTime onPremisesLastSyncDateTime

OnPremisesProvisioningErrors onPremisesProvisioningErrors

OnPremisesSecurityIdentifier onPremisesSecurityIdentifier

OnPremisesSyncEnabled onPremisesSyncEnabled

RenewedDateTime renewedDateTime

SAM Account Name onPremisesSamAccountName

SID securityIdentifier

SecurityEnabled securityEnabled

Unique Identifier objectGUID

Visibility visibility

WhenChanged createdDateTime

Computer Attributes

Palo Alto Networks Attribute Azure Active Directory Field

ComplianceExpirationDateTime complianceExpirationDateTime

Cloud Identity Engine Getting Started November 2023 195 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Palo Alto Networks Attribute Azure Active Directory Field

Device ID deviceId

Groups memberOf

IsCompliant isCompliant

IsManaged isManaged

LastLogonTime approximateLastSignInDateTime

Manufacturer manufacturer

MdmAppId mdmAppId

Model model

Name displayName

OS operatingSystem

OSVersion operatingSystemVersion

Profile Type profileType

Serial Number deviceId

SystemLabels systemLabels

TrustType trustType

Unique Identifier objectGUID

UserAccountControl accountEnabled

WhenChanged createdDateTime

Application Attributes

Palo Alto Networks Attribute Azure Active Directory Field

App Id appId

App Roles appRoles

Description description

DisabledByMicrosoftStatus disabledByMicrosoftStatus

Cloud Identity Engine Getting Started November 2023 196 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Palo Alto Networks Attribute Azure Active Directory Field

Identifier Uris identifierUris

Name displayName

Unique Identifier objectGUID

createdDateTime createdDateTime

web web

SCIM Directory
You can collect the following types of default attributes and their associated SCIM Connector
fields:
• User Attributes
• Group Attributes

User Attributes
The following section lists the default attributes for users that the directory provisions to
Directory Sync using SCIM.

Palo Alto Networks Attribute SCIM Directory Field

Common-Name name_formatted

CompanyName addresses_work_formatted

Country addresses_work_country

Department enterprise_department

EmployeeId enterprise_employeeNumber

FaxNumber phoneNumbers_fax_value

Given Name name_firstName

Groups groups

Location locale

Mail emails_work_value

Cloud Identity Engine Getting Started November 2023 197 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Palo Alto Networks Attribute SCIM Directory Field

If you do not configure a value
for the Mail attribute, the Cloud
Identity Engine uses the value
of the User Principal Name.

MobilePhone phoneNumbers_mobile_value

Name displayName

PostalCode addresses_work_postalCode

PreferredLanguage preferredLanguage

PreferredName nickName

StreetAddress addresses_work_streetAddress

Sur Name name_familyName

Title title

Unique Identifier objectGUID

User Principal Name userName

UserType userType

The SCIM gallery app does not

support the userType attribute.

createdDateTime meta_created

Group Attributes
The following section lists the default attributes for groups that the directory provisions to
Directory Sync using SCIM.

Group names for the displayName attribute must be unique. For more information,
refer to Troubleshoot Cloud Identity Engine Issues.

Palo Alto Networks Attribute Active Directory Field

Description displayName

Group Type groupTypes

Member members

Cloud Identity Engine Getting Started November 2023 198 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Palo Alto Networks Attribute Active Directory Field

Name displayName

Unique Identifier objectGUID

createdDateTime meta_created

Okta Directory
You can collect the following types of default attributes and their associated Okta Directory
fields:
• User Attributes
• Group Attributes

User Attributes

Palo Alto Networks Attribute Okta Directory Fields

City city

CompanyName companyName

Country countryCode

Department department

Distinguished Name dn

EmployeeId employeeNumber

Given Name firstName

Groups memberOf

Last Login lastLogin

LastPasswordChangeDateTime passwordChanged

Mail email

If you do not configure a value

for the Mail attribute, the Cloud
Identity Engine uses the value of
the User Principal Name.

Manager managerDN

Cloud Identity Engine Getting Started November 2023 199 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Palo Alto Networks Attribute Okta Directory Fields

MobilePhone mobilePhone

Name displayName

PostalCode zipCode

PreferredLanguage preferredlanguage

PreferredName nickName

Primary Group ID primaryGroupID

SID objectSid

State state

StreetAddress streetAddress

Sur Name lastName

Title title

Unique Identifier objectGUID

User Principal Name userName

UserType userType

createdDateTime created

Group Attributes

Palo Alto Networks Attribute Okta Directory Fields

Description description

Group Type groupTypes

Groups memberOf

Member member

Name name

SAM Account Name samAccountName

SID objectSid

Cloud Identity Engine Getting Started November 2023 200 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Palo Alto Networks Attribute Okta Directory Fields

Unique Identifier objectGUID

createdDateTime created

Application Attributes

Palo Alto Networks Attribute Okta Directory Field

App Id appId

Description description

Name displayName

Unique Identifier objectGUID

Google Directory
To identify users and apply security policy, the Cloud Identity Engine collects the following
attributes from Google Directory:
• User Attributes
• Organizational Unit (OU) Attributes
• Group Attributes
• Computer Attributes

User Attributes

Palo Alto Networks Attribute Google Directory Field

BusinessPhones phones

Country country

Given Name givenName

Groups memberOf

Last Logon Time lastLoginTime

Location locations.area

Mail primaryEmail

Cloud Identity Engine Getting Started November 2023 201 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Palo Alto Networks Attribute Google Directory Field

If you do not configure a value
for the Mail attribute, the Cloud
Identity Engine uses the value of
the User Principal Name.

Name fullName

OtherMails emails

PreferredLanguage languages

SID id

State state

StreetAddress streetAddress

Sur Name familyName

Title title

Unique Identifier objectGUID

User Principal Name userName

UserAccountControl suspended

UserType isAdmin

createdDateTime creationTime

Organizational Unit (OU) Attributes

Palo Alto Networks Attribute Google Directory Field

Description description

Name name

Unique Identifier objectGUID

Group Attributes

Palo Alto Networks Attribute Google Directory Field

Group Type kind

Cloud Identity Engine Getting Started November 2023 202 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Palo Alto Networks Attribute Google Directory Field

Groups memberOf

Mail email

If you do not configure a value

for the Mail attribute, the Cloud
Identity Engine uses the value of
the User Principal Name.

Member member

Name name

SID id

Unique Identifier objectGUID

Computer Attributes

Palo Alto Networks Attribute Google Directory Field

Groups memberOf

HostName dNSHostName

Last Login lastLogon

LastLogonTime lastLogonTimestamp

NETBIOS Name nETBIOSName

OS operatingSystem

OSServicePack operatingSystemServicePack

OSVersion operatingSystemVersion

Primary Group ID primaryGroupID

SID deviceId

SID History sIDHistory

Serial Number serialNumber

Service Principal Name servicePrincipalName

Cloud Identity Engine Getting Started November 2023 203 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Palo Alto Networks Attribute Google Directory Field

Unique Identifier objectGUID

User Principal Name userPrincipalName

User Account Control status

On-Premises OpenLDAP
You can collect the following types of default attributes and their associated Active Directory
fields:
• User Attributes
• Organizational Unit (OU) Attributes
• Group Attributes
• Container Attributes
• Computer Attributes

User Attributes

Palo Alto Networks Attribute OpenLDAP Directory Field

Common-Name cn

Country co

Department department

Distinguished Name dn

Groups memberOf

Last Login lastLogon

Last Logon Time lastLogonTimestamp

Location l

Mail mail

If you do not configure a value

for the Mail attribute, the Cloud
Identity Engine uses the value of
the User Principal Name.

Manager manager

Cloud Identity Engine Getting Started November 2023 204 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Palo Alto Networks Attribute OpenLDAP Directory Field

Name displayName

Object Class objectClass

SAM Account Name sAMAccountName

SID objectSid

Title title

Unique Identifier entryUUID

User Principal Name userPrincipalName

WhenChanged modifyTimestamp

WhenCreated createTimestamp

Organizational Unit (OU) Attributes

Palo Alto Networks Attribute OpenLDAP Directory Field

Canonical Name canonicalName

Common-Name cn

Distinguished Name dn

Name displayName

Object Class objectClass

Unique Identifier entryUUID

WhenChanged modifyTimestamp

WhenCreated createTimestamp

Group Attributes

Palo Alto Networks Attribute OpenLDAP Directory Field

Common-Name cn

Distinguished Name dn

Cloud Identity Engine Getting Started November 2023 205 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Palo Alto Networks Attribute OpenLDAP Directory Field

Group Type groupType

Groups memberOf

Mail mail

If you do not configure a value

for the Mail attribute, the Cloud
Identity Engine uses the value of
the User Principal Name.

Member uniqueMember

Name name

Object Class objectClass

Unique Identifier entryUUID

WhenChanged modifyTimestamp

WhenCreated createTimestamp

Container Attributes

Palo Alto Networks Attribute OpenLDAP Directory Field

Canonical Name canonicalName

Common-Name cn

Distinguished Name dn

Name displayName

Object Class objectClass

Unique Identifier entryUUID

WhenChanged modifyTimestamp

WhenCreated createTimestamp

Cloud Identity Engine Getting Started November 2023 206 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Computer Attributes

Palo Alto Networks Attribute OpenLDAP Field

Common-Name cn

Distinguished Name dn

Groups memberOf

Host Name dNSHostName

Last Login lastLogon

Last Logon Time lastLogonTimestamp

NETBIOS Name nETBIOSName

Name displayName

OS operatingSystem

OS Service Pack operatingSystemServicePack

OS Version operatingSystemVersion

Object Class objectClass

Primary Group ID primaryGroupID

SAM Account Name sAMAccountName

SID objectSid

Serial Number serialNumber

Unique Identifier entryUUID

User Principal Name userPrincipalName

User Account Control userAccountControl

WhenChanged modifyTimestamp

WhenCreated createTimestamp

Cloud Identity Engine Getting Started November 2023 207 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Collect Custom Attributes with the Cloud Identity

Engine
If your directory uses custom attributes, you must specify the custom attribute so that the Cloud
Identity Engine can collect it. To view the default attribute formats, see Cloud Identity Engine
Attributes.
STEP 1 | Log in to the hub and select the Cloud Identity Engine tenant that uses custom attributes.

STEP 2 | Select Attributes then select the directory type that uses the custom attribute.

STEP 3 | Select a custom attribute in your directory.

The field is now editable.

Cloud Identity Engine Getting Started November 2023 208 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 4 | Enter the new value in the field and confirm the change by clicking the checkmark.

Custom attributes cannot begin with an underscore ( _ ).

A green triangle displays in the upper left corner of the row to indicate the changes.

To use the original attribute value, select the custom attribute and Restore Default.

Cloud Identity Engine Getting Started November 2023 209 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Cloud Identity Engine Getting Started November 2023 210 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

View Directory Data

In the Cloud Identity Engine app, you can use the Directory Data page to view data (depending on
your directory type) about users, computers, groups, devices, containers, and organizational units
that are collected from your directory. You can also use keywords to search the data for specific
objects (such as users or groups) and view all the attributes of those objects to validate the data.
The Directories page provides a total count for the objects that the Cloud Identity Engine has
collected from your directory. To review details for an object, click the total count in the column
for the object to view the Directory Data page.

When you select an object, the number of results for that object displays below the domain name
at the top of the page.

Cloud Identity Engine Getting Started November 2023 211 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

By default, up to 25 results display for the object. To view the rest of the data or a specific result,
use the following methods.

Cloud Identity Engine Getting Started November 2023 212 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Search for data in the search bar by entering a partial or complete keyword, then press Enter or
click Search to see the results.

Search terms are not case-sensitive.

Cloud Identity Engine Getting Started November 2023 213 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

To refine the search results, select a search type:

Search results include delimiter characters for MongoDB and Unicode. For example,
entering test-user as a search term includes results for test-user and test
user but not testuser because the hyphen is a delimiter character.

• Text search—Displays results that match the entire search term.

• Substring match—Displays results that match the entire search term or that partially match
the search term.

Cloud Identity Engine Getting Started November 2023 214 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Browse the data using the page navigation buttons or use the drop-down list to select the
number of rows to display.

Cloud Identity Engine Getting Started November 2023 215 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

To view selected details for an object, select Details ( ) in the first column.

• When you select a group, the app displays the first 2000 flattened users in the
group below the Member attribute. If the group doesn’t contain any members, this
attribute does not display any information.
• When you select a user, the app displays the first 2000 groups to which the user
belongs below the Groups attribute. If the user doesn’t belong to any groups, this
attribute does not display any information.

The Cloud Identity Engine currently supports retrieval of inventory information

for enterprise applications, such as Name, Redirect URIs, and IDs. Viewing the
membership assignment relationships between the retrieved apps and their
corresponding users and groups is currently a beta feature.

• To view the all data for this object, click View Raw Data in the upper right corner.

Cloud Identity Engine Getting Started November 2023 216 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

•
To copy the details for the data, click Copy ( ) to copy the details to the clipboard.
• To switch the view between Direct and Direct and Nested, select the toggle.

If the directory contains nested groups, they display after you select the toggle. To restore
the original Direct view, select the toggle again.

Cloud Identity Engine Getting Started November 2023 217 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Nested group information is not available for attribute-based Cloud Dynamic User
Groups.
• To query the data, enter a search term and click Apply Search to display the results.

Cloud Identity Engine Getting Started November 2023 218 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

To return to the Directory page, select Go Back to Directory in the upper right.

Cloud Identity Engine Getting Started November 2023 219 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Cloud Identity Engine User Context

As large enterprise networks continue to become increasingly distributed across cities, regions,
and countries, enforcing least-privilege user access becomes increasingly challenging, especially
as scale increases. User Context for the Cloud Identity Engine provides simplified granular control
over the data that is shared across your security devices. It provides administrators with the
flexibility to specify the data types (such as mappings and quarantine lists) each device sends and
receives.

User Context for the Cloud Identity Engine requires PAN-OS 11.0.

The simplified deployment of User Context for information such as user mappings and tags
minimizes time to enforcement. Centralizing visibility for users, tags, and mappings makes it easier
to segment the data types based on user access needs. This method also increases scalability for
Virtual Desktop users (VDI) using the Terminal Server agent.
To enforce policy, User Context provides IP address-to-usernamemappings, IP port to username
mappings, user tags IP address tags, Host IDs, and quarantine list information to other firewalls
and devices in your network through segments, which consist of firewalls that you specify. A
segment can collect information as well as share information. A publishing segment sends the data
from the firewalls and devices in that segment to the firewalls in the subscribed segment, which
contains the firewalls that receive the data from the publishing segments.
Firewalls and Panorama can share multiple data types to one segment. On a firewall or Panorama,
each data type can only be shared in one segment. Each Firewall or Panorama can receive data
from up to 100 segments.
By selecting the data that is collected by a segment and where that data is shared, you have full
control in ensuring that the information required to enforce least-privilege access is available on
each enforcement device.

If you associate a firewall that you configure as a User-ID hub with a segment, the
Cloud Identity Engine provides the data types based on the firewall that is subscribed
or publishing the segment, not based on the virtual system. To ensure that both locally
learned data and data that the User Context Cloud Service provides are available to all
virtual systems, configure the User-ID hub firewall as a subscriber in the segment.

Cloud Identity Engine Getting Started November 2023 220 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 1 | Onboard your Cloud Identity Engine instance.

1. Obtain the serial number for the firewall you want to onboard, and Register the firewall
with the Palo Alto Networks Customer Support Portal (CSP).
2. Click the magic link provided by Palo Alto Networks to begin onboarding your Cloud
Identity Engine tenant.
The magic link is provided by Palo Alto Networks by email.
3. Click MSP Cloud Management.

4. Continue the onboarding process.

Cloud Identity Engine Getting Started November 2023 221 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

5. Claim the license for the tenant you want to onboard.

6. Select the Customer Support Account you want to use.

Cloud Identity Engine Getting Started November 2023 222 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

7. Select the Parent Tenant you want to use or click Create New to create a new tenant.

8. Click Claim and continue to continue the onboarding process.

Cloud Identity Engine Getting Started November 2023 223 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

9. Click Add Licensed Product to continue the onboarding process.

Cloud Identity Engine Getting Started November 2023 224 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

10. Select the contract you want to use.

Cloud Identity Engine Getting Started November 2023 225 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

11. Select the Region for your Cloud Identity Engine instance.

Cloud Identity Engine Getting Started November 2023 226 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

12. Click Activate Now to complete the onboarding process.

Cloud Identity Engine Getting Started November 2023 227 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

13. Confirm that the Status for the Cloud Identity Engine is Complete.
You can access your Cloud Identity Engine instance by selecting Cloud Identity Engine.

Cloud Identity Engine Getting Started November 2023 228 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

14. In the bottom left of the window, select the icon for your tenant and select Device
Associations.

Cloud Identity Engine Getting Started November 2023 229 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

15. Select Add Device.

Cloud Identity Engine Getting Started November 2023 230 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

16. Select your Customer Support Account and enter your firewall serial number.
17. Select the firewall Save your changes.
18. Select Associate Apps.
19. Select the firewall, select the Cloud Identity Engine, and Save your selections.

Cloud Identity Engine Getting Started November 2023 231 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Cloud Identity Engine Getting Started November 2023 232 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 2 | In the Cloud Identity Engine, activate sharing for mappings.

1. Log in to the Cloud Identity Engine app and select User Context > Segments
2. Activate sharing for mappings.

Cloud Identity Engine Getting Started November 2023 233 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 3 | Configure the default segment as a publishing segment.

1. Select the Firewalls tab and select one or more firewalls.

2. After selecting the firewalls that you want to include in this segment, Assign Segments
to the selected firewalls.
Assigning a segment to a firewall allows you to define which data the Cloud Identity
Engine receives from or provides to that firewall. You can only assign segments to a
firewall that uses PAN-OS 11.0; User Context does not support other source types.

Cloud Identity Engine Getting Started November 2023 234 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

3. (Optional) If you want to include additional firewalls in the segment, Add Firewalls to the
segment to specify the firewalls you want to include.

Cloud Identity Engine Getting Started November 2023 235 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

4. For each Data Type that you want to share, select the Segment where you want to
publish the data type.

Firewalls publish each data type to one segment. To share data between
firewalls, you will need to configure a segment for each data type you want
share.

You can select the following data types:

• IP User Mappings—(GlobalProtect, Authentication Portal, XFF Headers, Username
Header Insertion, XML APIs, Syslog, Server Monitoring, Panorama TrustSec plugin)
Maps the IP address to a username.
• IP Tag Mappings—(Dynamic Address Group only) Maps the IP address to a tag.
• User Tag Mappings—(Dynamic User Group only) Maps the tag to a user.
• Quarantine List—(GlobalProtect only) Lists the firewalls that GlobalProtect has in
quarantine.

Cloud Identity Engine Getting Started November 2023 236 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

• IP Port Mappings—(Terminal Server agent only) Maps the IP address to the port range
allocated to a Windows-based terminal server user.

5. Click Review Changes to review your configuration before submitting the changes.

Cloud Identity Engine Getting Started November 2023 237 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

6. Save the changes to confirm the configuration.

Cloud Identity Engine Getting Started November 2023 238 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 4 | Create a segment to subscribe to the publishing segment you created in the previous step.
Publishing segments provide the specified data type that the Cloud Identity Engine collects
from other firewalls to the segment containing the firewalls that you select.

You can subscribe up to 100 segments per firewall.

1. Select User Context > Segments and click Add New Segment.

2. Enter a unique Segment Name and optionally a Description for the segment.

3. Click Add New Segment to save the changes.

4. Click Segments to add the segments you want to receive data.

Cloud Identity Engine Getting Started November 2023 239 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

5. Select the segments that you want to include and Add the segments.

Cloud Identity Engine Getting Started November 2023 240 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 5 | (Optional) Edit segments as needed to customize how the Cloud Identity Engine provides
mappings to the firewalls.
1. If sharing for data type is Enabled and you do not want to share this data type in this
segment, select it to change the setting to Disabled.

2. If you no longer need a segment, delete it from the configuration.

Cloud Identity Engine Getting Started November 2023 241 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 6 | When your configuration is complete, Review Changes and Save the configuration.

Cloud Identity Engine Getting Started November 2023 242 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 7 | On your firewall, enable the service that the Cloud Identity Engine uses to communicate with
your firewall.
1. Ensure that you have configured a device certificate.
2. Log in to the firewall and Edit the PAN-OS Edge Service Settings (Device >
Management > Setup > PAN-OS Edge Service Settings).

3. Enable User Context Cloud Service and click OK to confirm the changes.

If the firewall traffic uses a management interface, create security policy rules to
allow connectivity between the firewall and the User Context Cloud Service.

Cloud Identity Engine Getting Started November 2023 243 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

4. Commit your changes on the firewall.

Cloud Identity Engine Getting Started November 2023 244 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 8 | Verify the User Context configuration is successful and view the mappings and tags that the
Cloud Identity Engine collects from the firewall.
1. On the firewall, verify the User Context Cloud Service Connection Status is active.

2. In the Cloud Identity Engine app, select User Context > Mappings & Tags to review the
information for the data types.
You can review the following data types:
• User-ID—Search User-ID mappings by Username or IP address.
• User Tags—Search Dynamic User Group tags by Username or by Tag.
• IP Tags—Search Dynamic Address Group tags by IP address or by Tag.
• IP-Port User—(Terminal Server agent only) Search Terminal Server agent mappings by
IP address.
• Host IDs—(GlobalProtect only) Search devices (both quarantined and not quarantined)
by Host ID.

Cloud Identity Engine Getting Started November 2023 245 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Now that you’ve configured segments, you can use them to enable user- and group-
based policy, authentication profiles and sequences, and other firewall-based tasks.

Cloud Identity Engine Getting Started November 2023 246 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Create a Cloud Dynamic User Group

Cloud Dynamic User Groups simplify the creation of group-based Security policy by providing
adaptable and granular group membership that updates automatically based on the criteria
(also known as context or attributes) you specify. This allows you to create a policy that adapts
to changes in user behavior, location, and other conditions where context plays a key role in
determining access.
As work locations change and users take on different roles in an organization, determining user
privileges based on attributes such as department or location is no longer sufficient. Cloud
Dynamic User Groups provide a simplified and automated solution by allowing you to specify the
context for group membership based on attributes that can change (such as location, department,
or title), allowing you to create more responsive group-based policy.

If you are using a Cloud Dynamic User Group to Set Up an Authentication Profile, you
must add the users in the Cloud Dynamic User Group to the SAML app integration in
Azure Portal. For more information, refer to Step 3 in Configure Azure as an IdP in the
Cloud Identity Engine.

You can also create static groups where membership remains constant until you manually add or
remove members. For example, you can use static groups to quickly assign privileges or to isolate
an account that is exhibiting unusual or risky behavior based on specific events.
If you're using Microsoft Active Directory Identity Protection, you can use the risk assessment
information to create Cloud Dynamic User Groups based on a user's risk level or anomalous user
behavior, such as an unusual login location.

Using risk assessment information to create Cloud Dynamic User Groups requires the
client credential flow for Azure AD. You must allow the following permissions in the
Azure Portal to enable support for risk-based attributes:
• IdentityRiskyUser.Read.All
• IdentityRiskEvent.Read.All

Cloud Identity Engine Getting Started November 2023 247 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 1 | If you have not already done so, configure your directory for the type of Cloud Dynamic
User Group you want to create.
1. Configure an on-premises directory or a cloud-based directory.
2. (User Risk Information with Azure AD only) To allow the Cloud Identity Engine to collect
user risk information from your Microsoft Active Directory Identity Protection, select
Collect user risk information from Azure AD Identity Protection.

For an existing Azure AD configuration in the Cloud Identity, reconnect your

directory to enable user risk information collection.

3. Sync the groups for the directory.

STEP 2 | In the Cloud Identity Engine app, select Directories and click on the number in the Groups
column.

Cloud Identity Engine Getting Started November 2023 248 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 3 | On the Directory Data page, click Create New Dynamic User Group.

STEP 4 | Select the Category for the group.

• Attribute Based—Select the criteria for the dynamic group based on attributes.
• On Demand Assignment—Assign specific users to a static group.

STEP 5 | Enter the Common Name for the group.

This automatically generates a Distinguished Name for the group that the Cloud Identity
Engine, Prisma Access, and your firewalls use to identify the group. The Cloud Identity Engine

Cloud Identity Engine Getting Started November 2023 249 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

appends _CDUG to the name you enter to indicate that the group is a Cloud Dynamic User
Group.

STEP 6 | (Optional) Enter a Group Email for the group.

Cloud Identity Engine Getting Started November 2023 250 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 7 | (Optional) Enter a Description for the group.

Cloud Identity Engine Getting Started November 2023 251 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 8 | Depending on the group Category you selected in Step 4, select either the attributes you
want to use to define the group or the users you want to add to the group.
1. (Attribute Based only) Select whether you want the group members to match Any of the
criteria or if you want them to match All of the criteria you select.

2. (Attribute Based only) Click Select context or attribute to select the criteria (also known
as context or attribute) that you want to use to define the group.

Cloud Identity Engine Getting Started November 2023 252 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

3. (Attribute Based only) Click Select operator to select the type of operand.

The operators that are available depend on your context or attribute selection in
the previous step.

• is equal to—Adds members to the group who are an exact match for a single attribute
or context.
• is equal to ANY of the following—Adds members to the group who are an exact
match for one or more attributes or contexts.
• is not equal to—Adds members to the group results who don't match the attribute or
context.
• contains—Adds members to the group when they contain the term you enter.
• starts with—Adds members to the group when they begin with the characters you
enter.

4. (Attribute Based only) Click Select value to select the value (if the operand is is equal to)
or values (if the operand is is equal to ANY of the following) for the group members. If
the operand is contains or starts with, enter the value.

Cloud Identity Engine Getting Started November 2023 253 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

5. (Optional) If you want to include additional criteria for the Cloud Dynamic User Group,
select the type of operand and repeat the previous steps as needed to add the necessary
criteria for the group.
• Add OR—Adds members to the group when at least one of the criteria applies.
• Add AND—Adds members to the group only when all criteria apply.

Cloud Identity Engine Getting Started November 2023 254 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

6. (On Demand Assignment only) Click Add Users to view the list of possible group
members.

7. (On Demand Assignment only) Select the users you want and Add them to the group.

To filter the list of possible group members, enter a search term and Apply Search and
optionally select either Text Search or Substring Search.

Cloud Identity Engine Getting Started November 2023 255 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 9 | (Optional) If you want to delete one of the contexts or attributes, click Delete in the row that
contains the context or attribute you want to remove.

Cloud Identity Engine Getting Started November 2023 256 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 10 | (Optional) To remove a user from a cloud dynamic user group, select the check box in the
row for the user and click Remove User then click Continue to confirm.
The Add User button changes to Remove User when you select a user.

STEP 11 | Click Submit to create the Cloud Dynamic User Group.

You can now use the Cloud Dynamic User Group to create group-based Security policy.

STEP 12 | (User Risk Information with Azure AD only) If you enabled user risk information collection
in step 1.2, verify that the Cloud Identity Engine can successfully collect the information by
clicking the locked user icon and verifying that Collect User Risk displays with a green
check mark.

Cloud Identity Engine Getting Started November 2023 257 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 13 | To remove a cloud dynamic user group, select the ellipses button then select Remove.

If a sync for the removed group is currently in progress, the removed group may still
display on the page. If this occurs, refresh the page and confirm the removed group no
longer displays.

Cloud Identity Engine Getting Started November 2023 258 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Configure Third-Party Device-ID

Third-Party Device-ID allows you to leverage information from third-party IoT detection sources
to simplify the task of identifying and closing security gaps for devices in your network. Third-
Party Device-ID enables Prisma Access to obtain and use information from third-party IoT
visibility solutions through the Cloud Identity Engine for device visibility and control.
When you configure Third-Party Device-ID, the third-party IoT solutions can use an API to
provide the Device-ID verdicts to a secure cloud-based infrastructure, the Third-Party Device-
ID service, that provides the information to the Prisma Access Security Processing Nodes (SPNs).
The same verdicts are displayed as IP address-to-device mappings in the Cloud Identity Engine,
allowing you to confirm that the Device-ID verdicts have been shared with your Palo Alto
Networks applications. After the Prisma Access SPNs receive the IP address-to-device mappings
and the third-party IoT solution information is available in the Cloud Identity Engine, any matching
device-based policies defined in Prisma Access are enforced.
The following diagram depicts how the Third-Party Device-ID service receives the device
information from the third-party IoT solutions, which it then transmits as IP address-to-device
mappings to the Cloud Identity Engine and the Prisma Access SPNs.

Before you begin the procedure, obtain a certificate signing request and its key for the
vendor of each third-party IoT solution you want to use with Third-Party Device-ID from
your network administrator.

Cloud Identity Engine Getting Started November 2023 259 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 1 | Activate Third-Party Device-ID in the Cloud Identity Engine.

If you have not already done so, configure the Cloud Identity Engine.
1. Log in to the hub and select the Cloud Identity Engine tenant you want to use, then
select User Context > Third-Party Device-ID.

2. Select the Location of your tenant.

Because you can only select the region once and you cannot change it after
making a selection, verify your region before selecting it during Third-Party
Device-ID activation.

3. Click Add New Management System.

Cloud Identity Engine Getting Started November 2023 260 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Cloud Identity Engine Getting Started November 2023 261 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 2 | Upload the certificate signing request (CSR) from the third-party IoT solution.
1. Enter a unique Configuration Name (for example, the vendor of third-party IoT solution).

2. Click Browse Files or drag and drop to upload the certificate signing request (CSR) file
from the third-party IoT solution.
Contact the administrator of the third-party IoT solution to obtain the CSR file.

You can only upload a CSR once for each configuration. If you need to update or
change the configuration, you must create a new CSR.

Cloud Identity Engine Getting Started November 2023 262 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 3 | Obtain the signed certificate and the API key to import to the management system for your
third-party IoT solution.
1. Click Sign CSR and Export to download the certificate that you must import to the third-
party IoT solution management system.

To help prevent any security risk for the certificate or the API key, be sure to
store both the signed certificate and the API key in a secure location.

2. Click Generate New API Key to generate an API token to authenticate the third-party
IoT solution.
The API key is a token that contains information about the third-party IoT solution
and other required information, such as the identifier for the tenant and the token’s
expiration.

If the API key becomes compromised, you must generate a new API key and
import the new key to the third-party IoT solution management system.

Cloud Identity Engine Getting Started November 2023 263 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

3. Copy the API key then import both the signed certificate that you downloaded and the
API key that you generated to the management system for your third-party IoT solution
and configure the IoT solution to use these files to communicate with the Third-Party
Device-ID.

To ensure that the third-party IoT solution can successfully communicate with
the Third-Party Device-ID, you must upload both the signed certificate from
the previous step and the API key. Create a configuration for each third-party
vendor in your network that you want to use with Third-Party Device-ID. The
configuration for each vendor must have a unique signed certificate and API key;
do not use the same certificate or API key in more than one configuration.

Cloud Identity Engine Getting Started November 2023 264 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 4 | Review the information to verify the configuration is correct.

STEP 5 | After you use the API commands to obtain the information from the third-party IoT
solutions, select Mappings to view information about the devices that the Third-Party
Device-ID has detected and their IP address-to-device mappings.
You can search the IP address-to-device mappings by IP address by entering the IP address
and clicking Apply Search.

Now that your Third-Party Device-ID configuration is complete, you can:

• Use the APIs to manage how your third-party IoT solutions share information with Third-
Party Device-ID.
• Use Device-ID features such as the Device Dictionary to manage and edit device
information.
For more information, refer to the Prisma Access documentation.

Cloud Identity Engine Getting Started November 2023 265 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

Configure an IP Tag Cloud Connection

IP tag cloud connection supports regions based in the United States.

To configure the Cloud Identity Engine to collect IP address-to-tag (also known as IP-tag)
information for policy enforcement, configure a connection to your cloud-based identity
management system to synchronize the mappings. The identity management system provides the
IP-tag information to the edge service for processing, which then provides the information to the
firewalls for policy enforcement.
If you want to collect IP address-to-tag (IP-tag) information from VM Series firewalls, you must
grant the required permissions for your cloud-based identity management system.
• For Azure, grant the read permissions as described in the Azure Monitoring section in the VM
Series documentation.
• For AWS, grant the ARN describe roles as described in the IAM Roles and Permissions for
Panorama section as shown in the JSON example in the VM Series documentation.
If you use Strata Cloud Manager, you can view your IP-tag information using the unified interface
and use it to create your tag-based security policy.

For each region, you can synchronize up to 20,000 IP-tag mappings from a cloud service
in a monitoring configuration at one time. For instance, if you have 1,000 IP addresses,
you will be able to synchronize them all if each IP address has equal to or fewer than 20
tags. After performing the initial synchronization, you can continue to add more IP-tag
mappings in subsequent synchronizations, with each synchronization allowing up to an
additional 20,000 mappings. Only the new or modified mappings will be synchronized
each time.

STEP 1 | If you have not already done so, activate User Context and configure a segment to receive
the mapping information.

Cloud Identity Engine Getting Started November 2023 266 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 2 | Select User Context > IP-Tag Collection.

STEP 3 | Select the Credential Configuration tab if it is not already selected.

STEP 4 | To Set Up a New Credential Configuration, select the type of configuration.

• AWS—Connect to an Amazon Web Services (AWS) instance.
• Azure—Connect to a Microsoft Azure Active Directory instance.

STEP 5 | Enter a unique and descriptive Name for the configuration.

Cloud Identity Engine Getting Started November 2023 267 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 6 | (AWS only) Configure your AWS connection.

To open your AWS administrator portal in a new window, click Open CFT.

1. Enter your Access Key ID.

To learn how to obtain your access key ID and secret access key, refer to the AWS
documentation.
2. Enter your Secret Access Key.
3. Reenter your secret access key to Confirm Secret Access Key.
4. (Optional) Enter a Role ARN Name and Role ARN Value.
To configure additional Role ARNs, click Add Role ARN for each Role ARN you want
to include. For more information on the Amazon Role Name (ARN), refer to the AWS
documentation.

If you specify an ARN, you cannot also specify a VPC.

Cloud Identity Engine Getting Started November 2023 268 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 7 | (Azure only) Configure your Azure connection.

1. Enter your Client ID.
To learn how to obtain the client ID and client secret, refer to the Azure documentation.

2. Enter your Client Secret.

3. Enter your Tenant ID.
To learn how to obtain the tenant ID and subscription ID, refer to the Azure
documentation.
4. Enter your Subscription ID.

STEP 8 | Verify the connection by clicking the Test Connection button.

For AWS configurations, you can optionally select the Region before testing the connection.
By default, the Cloud Identity Engine selects the US West region; if this region does not allow
API requests, select a region that can allow API requests.

Even if the connection test is not successful, you can still submit your configuration;
until the connectivity issues are resolved, the configuration status is Not
connected. You must resolve the connection issues for the configuration to
successfully retrieve the IP-tag mappings.

STEP 9 | Submit the configuration.

Cloud Identity Engine Getting Started November 2023 269 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 10 | To configure a connection for monitoring purposes (such as audits) or to share the IP-tag
mapping information using a segment, select the Monitor & Status tab.
There are three states for the connection:
• Connected—The Cloud Identity Engine has successfully established a connection.
• Partially connected—The Cloud Identity Engine could successfully establish a connection to
some aspects of the configuration, such as regions or VPCs for AWS, but not all of them.
• Not connected—The Cloud Identity Engine could not successfully establish a connection
with the current configuration.

1. Set Up a New Monitor Configuration and select the type of monitor configuration.
2. Enter a unique and descriptive Name for the configuration.

Cloud Identity Engine Getting Started November 2023 270 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

3. Select the Credential Configuration that you configured.

4. (AWS only) Optionally select the Role ARN you want to use.
5. Select if you want to configure the connection for All Regions , All VPCs (AWS only), or
both.
To select a specific region or virtual private cloud (VPC), deselect the All Regions or All
VPCs checkbox and allow the list of regions or VPCs to populate, then select the region
or VPC you want to include. To select a specific VPC, you must select a region first.
6. Define the Polling Interval (in seconds) to specify how frequently the Cloud Identity
Engine checks for new data.
The default is 60 seconds and the range is 60–1800 seconds.
7. Select the segment you configured in Step 1.

Because you cannot select another segment after you submit the configuration,
ensure you select the correct segment before submitting the configuration. If
you need to change the segment after you submit the configuration, you must
create a new configuration and select the segment you want to use.
8. Submit the configuration.

Cloud Identity Engine Getting Started November 2023 271 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Engine App

STEP 11 | (Strata Cloud Manager only) If you are using Strata Cloud Manager, view the tags that the
Cloud Identity Engine shares with Strata Cloud Manager by selecting an address group then
select the Tags from CIE tab when you add match criteria.

Cloud Identity Engine Getting Started November 2023 272 ©2023 Palo Alto Networks, Inc.
Manage the Cloud Identity Agent
After you have installed and configured the agent, learn how to ensure you are using the
latest agent version. If you need to perform maintenance, you can stop and restart the agent’s
connection to your tenant. To help troubleshoot any issues, learn more about the events logged
by the agent and how to use the logs.
• Configure Cloud Identity Agent Logs
• Update the Cloud Identity Agent
• Start or Stop the Connection to the Cloud Identity Engine
• Remove the Cloud Identity Agent
• Manage Cloud Identity Engine Certificates

273
Manage the Cloud Identity Agent

Configure Cloud Identity Agent Logs

The Cloud Identity agent logs Cloud Identity Engine events that occur on the agent host. You
can use these logs to monitor informational events such as new connections (Information
—New connection 192.0.2.0: 49161), or for troubleshooting (Error—Verification
of Server Cert failed, stopping Cloud Identity Agent). For example, the agent
automatically generates logs if you test connectivity when you Configure the Cloud Identity
Agent. You can also use the Event Viewer on the agent host to review logs created if the agent is
unable to connect to the Cloud Identity Engine due to an incorrect bind DN or password, server
unavailability, or other issue.
The agent displays logs in the order in which they were generated. To provide a consistent
timestamp across timezones, logs include the timezone information in Coordinated Universal
Time (UTC), where the time offset is indicated by + or -. For the complete log history, check the
CloudIdAgentDebug log file on the agent host, which permanently retains all logs.
STEP 1 | Launch the agent.

STEP 2 | Select File > Debug.

STEP 3 | Select the type of event you want to log.

The agent logs the events of the selected type and all subsequent types. For example, if you
select Debug, the logs include error, warning, information, and debug events.
• If you select None, the Cloud Identity agent does not log events at any level.
• If you select Information, Warning, or Error, the agent deletes the data from the log after
sending it to the debug log on the agent host.
• If you select Debug or Verbose, the received data is stored permanently on the disk until
you delete the files.
To remove log files from the agent’s user interface, you can optionally Clear Cloud Identity
Agent Logs.

Search Cloud Identity Agent Logs

To troubleshoot issues with the Cloud Identity Engine, use keywords to search the Cloud Identity
agent logs. For example, you could search for the IP address of a directory where the agent wasn’t
able to connect to learn more about why the error occurred.

Search terms are case-sensitive.

STEP 1 | From the Cloud Identity agent, select Monitoring.

STEP 2 | Enter the search terms in the entry field to the left of Search.

STEP 3 | Click Search. The results are highlighted in blue below the entry field.

Clear Cloud Identity Agent Logs

You can clear outdated logs on the agent’s user interface. This does not delete the entries from
the CloudIdAgentDebug log file on the agent host.
STEP 1 | From the Cloud Identity agent, select Monitoring.

STEP 2 | Click Clear Log.

Update the Cloud Identity Agent

Using the latest version of the agent is strongly recommended. If your Cloud Identity agent is not
the latest version available, the Cloud Identity Engine app displays a notification.
Use the following procedure to update your Cloud Identity agent to the latest version.

When you upgrade the agent to version 1.7.0, it creates a backup of the existing agent
configuration before removing the deprecated version of the agent. During installation of
the new version of the agent, the existing configuration is automatically restored.

STEP 1 | Stop the connection to the Cloud Identity Engine service.

You must stop the connection between the agent and the service before you can update the
agent. Check Agents & Certificates in the Cloud Identity Engine app to confirm the agent’s
status.

STEP 2 | Uninstall the outdated agent from the host (Start > Control Panel > Programs and Features >
Cloud Identity Agent > Uninstall).

You must uninstall the outdated agent from the host before installing the latest version
of the agent.

STEP 3 | Log in to the hub and select the Cloud Identity Engine app.

STEP 4 | Select your Cloud Identity Engine tenant (if you have more than one) then select Agents &
Certificate.

STEP 5 | Click Download New Agent, then Install the Cloud Identity Agent.

Start or Stop the Connection to the Cloud Identity

Engine
When you start the Cloud Identity agent, it automatically starts communicating with the Cloud
Identity Engine to synchronize the attributes. To prevent this communication (for example, if a
directory server is unavailable or if you want to Remove the Cloud Identity Agent), you can stop
communication between the Cloud Identity agent and the Cloud Identity Engine. You can then
restart the connection later to allow communication.
STEP 1 | On the agent host, start the Cloud Identity agent if it is not already running, then select
Cloud Identity Configuration.
The current connection status of the agent displays at the lower-left corner of the window.

STEP 2 | Stop or re-establish the connection between the agent and the service.
• To connect the agent to the Cloud Identity Engine, click Start.

• To prevent the agent from communicating with the Cloud Identity Engine, click Stop.

Remove the Cloud Identity Agent

If you no longer need a Cloud Identity agent, you can remove it from your Cloud Identity Engine
tenant.
STEP 1 | Stop the connection to the Cloud Identity Engine.
You must stop the connection between the agent and the Cloud Identity Engine before you
can remove the agent.

STEP 2 | Uninstall the agent from the host server (Start > Control Panel > Programs and Features >
Cloud Identity Agent > Uninstall).

STEP 3 | Log in to the hub and select the Cloud Identity Engine tenant that contains the agent you
want to remove.

STEP 4 | Select Agents & Certificates.

STEP 5 | Confirm that the agent’s Status is Offline and Remove Agent.

You can only remove an agent that is offline (the connection between the agent and
the Cloud Identity Engine is not active). If the agent is not offline, the Remove Agent
button is not available.

Manage Cloud Identity Engine Certificates

After you generate the certificate to Authenticate the Agent and the Cloud Identity Engine, you
can view the certificate and its associated agent in the Cloud Identity Engine app.

The Cloud Identity agent version 1.5.0 and later versions automatically renews the
certificate before it expires.

You can view the identification number and lifetime of the certificate on the Agents & Certificates
page in the Cloud Identity Engine app.

If you need to Revoke Cloud Identity Agent Certificates, you must Delete Obsolete
Cloud Identity Agent Certificates before you generate and install the new certificate.

To generate a new certificate for an agent, click Get New Certificate, then follow the steps to
Authenticate the Agent and the Cloud Identity Engine.

Revoke Cloud Identity Agent Certificates

If a Cloud Identity agent’s certificate is compromised, revoke the certificate.
STEP 1 | Log in to the hub and select Cloud Identity Engine.

STEP 2 | Select the tenant associated with the agent with the compromised certificate.

STEP 3 | From the Cloud Identity Engine app, select Agents & Certificates.

STEP 4 | Revoke the certificate.

STEP 5 | Delete Obsolete Cloud Identity Agent Certificates to remove the previous certificate.

STEP 6 | Generate a new certificate to Authenticate the Agent and the Cloud Identity Engine and
install it on the agent host.

Delete Obsolete Cloud Identity Agent Certificates

You must delete the previous certificate for the agent before installing the new certificate. If
you do not delete the previous certificate, the Cloud Identity Engine may reference the previous
certificate instead of the new certificate.
STEP 1 | On the agent host, open Microsoft Management Control (MMC) by selecting Start > Run,
then entering MMC.

STEP 2 | Select File > Add/Remove Snap-In.

STEP 3 | Select Certificates > Add.

STEP 4 | Select Computer Account > Next.

STEP 5 | Select Local Computer > Finish.

STEP 6 | Click OK, then navigate to Console Root > Certificates (Local Computer) > Personal >
Certificates.

STEP 7 | Select the previous certificate from the list.

STEP 8 | Right-click the certificate, then Delete and click Yes to confirm the deletion.

STEP 9 | Generate a new certificate to Authenticate the Agent and the Cloud Identity Engine and
install it on the agent host.

Cloud Identity Engine Getting Started November 2023 284 ©2023 Palo Alto Networks, Inc.
Associate the Cloud Identity
Engine with Palo Alto Networks
Apps
The following procedures describe the steps for the support account view in the Hub. If
you are using the tenant account view, association is not necessary for a tenant service
group (TSG). For more information, refer to the Hub Getting Started guide.

By associating your Cloud Identity Engine tenants with other Palo Alto Networks apps, you
can allow these apps and services to access your directory information for reporting and policy
enforcement. You can associate the Cloud Identity Engine tenant with another app during
activation or with an existing app at any time.

To share user attributes with multiple apps, associate the same Cloud Identity Engine
tenant with each app.

• Associate the Cloud Identity Engine During Activation

• Associate the Cloud Identity Engine with an Existing App

285
Associate the Cloud Identity Engine with Palo Alto Networks Apps

Associate the Cloud Identity Engine During Activation

The following procedures describe the steps for the support account view in the Hub. If
you are using the tenant account view, association is not necessary for a tenant service
group (TSG). For more information, refer to the Hub Getting Started guide.

STEP 1 | Using your Auth Code, activate the Palo Alto Networks cloud app you want to associate with
the Cloud Identity Engine tenant.

STEP 2 | Enter the information required to activate the application, such as an Instance Name and a
Region, which will vary depending on the app.

STEP 3 | Select the Cloud Identity Engine tenant you want to associate with the app.
Only Cloud Identity Engine tenants that are compatible with the Palo Alto Networks cloud
application are displayed in the drop-down list. For example, a Cloud Identity Engine tenant
assigned to the US region would be compatible with another Palo Alto Networks cloud service
app assigned to the US region. If the Cloud Identity Engine field is not available, the Palo Alto
Networks cloud services app you selected does not support the Cloud Identity Engine.

STEP 4 | Agree and Activate the app.

Cloud Identity Engine Getting Started November 2023 286 ©2023 Palo Alto Networks, Inc.
Associate the Cloud Identity Engine with Palo Alto Networks Apps

Associate the Cloud Identity Engine with an Existing App

STEP 1 | Log in to the hub, click Settings ( ) then Manage Apps.

STEP 2 | Select the app you want to associate with the Cloud Identity Engine tenant.

STEP 3 | Select the Cloud Identity Engine tenant you want to associate with the app and click OK.

Only Cloud Identity Engine tenants that are compatible with the Palo Alto Networks cloud
application are displayed in the drop-down list. For example, a Cloud Identity Engine tenant
assigned to the US region would be compatible with another Palo Alto Networks cloud service
app assigned to the US region. If the Cloud Identity Engine field is not available, the Palo Alto
Networks cloud services app you selected does not support the Cloud Identity Engine.
After you associate the app, the Cloud Identity Engine tenant name displays in the Cloud
Identity Engine column in the hub (Settings > Manage Apps).

Cloud Identity Engine Getting Started November 2023 287 ©2023 Palo Alto Networks, Inc.
Associate the Cloud Identity Engine with Palo Alto Networks Apps

Cloud Identity Engine Getting Started November 2023 288 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud
Identity Engine
Learn how to deploy the Cloud Identity Engine for user authentication by configuring a SAML
2.0-based identity provider (IdP), a client certificate and certificate authority (CA) chain, or both.
After specifying how you want to authenticate your users, set up your authentication profile to
define your authentication security policy and optionally configure the authentication policy on
your firewall or Panorama. After you’ve done that, configure the Cloud Identity Engine as a User-
ID source for group mapping and user mapping to enforce group-based policy.
• Configure a SAML 2.0 Authentication Type
• Configure a Client Certificate
• Set Up an Authentication Profile
• Configure Cloud Identity Engine Authentication on the Firewall or Panorama
• Configure the Cloud Identity Engine as a Mapping Source on the Firewall or Panorama

289
Authenticate Users with the Cloud Identity Engine

Configure a SAML 2.0 Authentication Type

You can configure SAML 2.0-compliant identity providers (IdPs) in the Cloud Identity Engine to
authenticate your users. The following topics provide detailed steps on how to configure specific
IdPs as authentication types in the Cloud Identity Engine.
• Configure Azure as an IdP in the Cloud Identity Engine
• Configure Okta as an IdP in the Cloud Identity Engine
• Configure PingOne as an IdP in the Cloud Identity Engine
• Configure PingFederate as an IdP in the Cloud Identity Engine
• Configure Google as an IdP in the Cloud Identity Engine

If this is the first time you are configuring an IdP profile for the Cloud Identity Engine,
it may take up to 30 minutes to retrieve the information for your Cloud Identity Engine
tenant and display it in the app.
When you Configure Cloud Identity Engine Authentication on the Firewall or
Panorama, you can manually refresh the data using the request user-id cloud-
identity-engine config-data status command on the firewall.

Cloud Identity Engine Getting Started November 2023 290 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

Configure Azure as an IdP in the Cloud Identity Engine

STEP 1 | Download the Cloud Identity Engine integration in the Azure Portal.
1. If you have not already done so, activate the Cloud Identity Engine app.
2. In the Cloud Identity Engine app, select Authentication > SP Metadata > Download SP
Metadata and Save the metadata in a secure location.

3. Log in to the Azure Portal and select Azure Active Directory.

Make sure you complete all the necessary steps in the Azure portal.

Cloud Identity Engine Getting Started November 2023 291 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

If you have more than one directory, Switch directory to select the directory you want
to use with the Cloud Identity Engine.

4. Select Enterprise applications and click New application.

5. Add from the gallery then enter Palo Alto Networks Cloud Identity Engine
- Cloud Authentication Service and download the Azure AD single-sign on
integration.
6. After the application loads, select Users and groups, then Add user/group to Assign
them to this application.

Cloud Identity Engine Getting Started November 2023 292 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

Select the users and groups you want to have use the Azure IdP in the Cloud Identity
Engine for authentication.

Be sure to assign the account you are using so you can test the configuration
when it is complete. You may need to refresh the page after adding accounts to
successfully complete the test.
7. Select Single sign-on then select SAML.
8. Upload Metadata File by browsing to the metadata file that you downloaded from the
Cloud Identity Engine app and click Add.
9. After the metadata uploads, Save your configuration.
10. (Optional) Edit your User Attributes & Claims to Add a new claim or Edit an existing
claim.

If you attempt to test the configuration on the Azure Admin Console, a 404
error displays because the test is triggered by the IdP and the Cloud Identity
Engine supports authentication requests initiated by the service provider.

STEP 2 | Configure Azure AD for the Cloud Identity Engine.

1. Select single sign-on then select SAML.
2. Edit the Basic SAML Configuration settings.
3. Upload metadata file and select the metadata file you downloaded from the Cloud
Identity Engine in the first step.
4. Enter your regional endpoint as the Sign-on URL using the following format:
https://<RegionUrl>.paloaltonetworks.com/sp/acs (where <RegionUrl>
is your regional endpoint). For more information on regional endpoints, see Configure
Cloud Identity Engine Authentication on the Firewall or Panorama.
5. Copy the App Federation Metadata Url and save it to a secure location.

STEP 3 | Add and assign users that you want to require to use Azure AD for authentication.
1. Select Azure Active Directory then select Users > All users.
2. Create a New user and enter a Name, User name.
3. Select Show password, copy the password to a secure location, and Create the user.
4. In the Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service
integration in the Azure Portal, select Users and groups.
5. Add user then select Users and groups.

Cloud Identity Engine Getting Started November 2023 293 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 4 | Add Azure as an authentication type in the Cloud Identity Engine app.
1. Select Authentication Types and click Add New Authentication Type.

2. Set Up a SAML 2.0 authentication type.

Cloud Identity Engine Getting Started November 2023 294 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

3. Enter a Profile Name.

Cloud Identity Engine Getting Started November 2023 295 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

4. Select Azure as your Identity Provider Vendor.

STEP 5 | Select the method you want to use to Add Metadata and Submit the IdP profile.
• If you want to enter the information manually, copy the identity provider ID and SSO
URL, download the certificate, then enter the information in the Cloud Identity Engine IdP
profile.
1. Copy the necessary information from the Azure Portal and enter it in the IdP profile on
the Cloud Identity Engine app as indicated in the following table:

Copy or Download From Azure Portal Enter in Cloud Identity Engine IdP Profile

Copy the Azure AD Identifier. Enter it as the Identity Provider ID.

Download the Certificate (Base64). Click to Upload the certificate from the
Azure Portal.

Cloud Identity Engine Getting Started November 2023 296 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

Copy or Download From Azure Portal Enter in Cloud Identity Engine IdP Profile

Copy the Login URL. Enter the URL as the Identity Provider
SSO URL.

2. Select the HTTP Binding for SSO Request to IdP method you want to use for the SAML
binding that allows the firewall and IdP to exchange request and response messages
(HTTP Redirect, which transmits SAML messages through URL parameters or HTTP
Post, which transmits SAML messages using base64-encoded HTML).
3. Specify the Maximum Clock Skew (seconds), which is the allowed difference in seconds
between the system times of the IdP and the firewall at the moment when the firewall
validates IdP messages (default is 60; range is 1–900). If the difference exceeds this
value, authentication fails.
• If you want to upload a metadata file, download the metadata file from your IdP
management system.
1. In Azure Portal, Download the Federation Metadata XML and Save it to a secure
location.
2. In the Cloud Identity Engine app, Click to upload the metadata file, then Open the
metadata file.
• If you want to use a URL to retrieve the metadata, copy the App Federation Metadata Url.
Paste it in the profile and Fetch the metadata.

Palo Alto Networks recommends using this method to configure Azure as an IdP.

Cloud Identity Engine Getting Started November 2023 297 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 6 | Select Multi-factor Authentication is Enabled on the Identity Provider if your Azure
configuration uses multi-factor authentication (MFA).

Cloud Identity Engine Getting Started November 2023 298 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 7 | To require users to log in using their credentials to reconnect to GlobalProtect, enable Force
Authentication.

STEP 8 | Test SAML setup to verify the profile configuration.

This step is required to confirm that your firewall and IdP can communicate.

Cloud Identity Engine Getting Started November 2023 299 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 9 | Select the SAML attributes you want the firewall to use for authentication and Submit the
IdP profile.
1. In the Azure Portal, Edit the User Attributes & Claims.
2. In the Cloud Identity Engine app, enter the Username Attribute and optionally, the
Usergroup Attribute, Access Domain, User Domain, and Admin Role, then Submit the
profile.

Configure Okta as an IdP in the Cloud Identity Engine

If you want to use Okta to authenticate users with the Cloud Identity Engine, there are two ways
to configure Okta authentication with the Cloud Identity Engine:
• Integrate Okta as a Gallery Application (Recommended)
• Integrate Okta as a Custom Application

Cloud Identity Engine Getting Started November 2023 300 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 1 | Select the method you want to use to integrate the Okta authentication in the Cloud Identity
Engine and complete the steps in the Okta management console.
• Integrate Okta as a Gallery Application (Recommended)
• Integrate Okta as a Custom Application

STEP 2 | Set up the Okta authentication in the Cloud Identity Engine.

1. If you have not already done so, activate the Cloud Identity Engine app.
2. In the Cloud Identity Engine app, select Authentication > SP Metadata > Download SP
Metadata and Save the metadata in a secure location.

STEP 3 | Add Okta as an authentication type in the Cloud Identity Engine app.
1. Select Authentication Types and click Add New Authentication Type.

2. Set Up a SAML 2.0 authentication type.

3. Enter a Profile Name.

4. Select Okta as your Identity Provider Vendor.

Cloud Identity Engine Getting Started November 2023 301 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 4 | Select the method you want to use to Add Metadata and Submit the IdP profile.
• If you want to enter the information manually, copy the identity provider ID and SSO
URL, download the certificate, then enter the information in the Cloud Identity Engine IdP
profile.
1. In the Okta Admin Console, click Identity Provider metadata.

2. Copy the necessary information from the Okta Admin Console and enter it in the IdP
profile on the Cloud Identity Engine app as indicated in the following table:

Copy or Download From Okta Admin Console Enter in Cloud Identity Engine

Copy the Identity Provider Issuer. Enter it as the Identity Provider ID.

Download the X.509 Certificate. Click to Upload the certificate from the Okta
Admin Console.

Copy the Identity Provider Single Sign-On Enter the URL as the Identity Provider SSO
URL. URL.

Cloud Identity Engine Getting Started November 2023 302 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

validates IdP messages (default is 60; range is 1–900). If the difference exceeds this
value, authentication fails.
• If you want to upload a metadata file, download the metadata file from your IdP
management system.
1. In the Okta Admin Console, click View Setup Info and copy the IDP metadata and save it
to a secure location.
2. In the Cloud Identity Engine app, Click to Upload the metadata file, then Open the
metadata file.
• If you want to use a URL to retrieve the metadata, copy the IDP metadata from step 4.2.
Paste it in the profile and Fetch the metadata.

Cloud Identity Engine Getting Started November 2023 303 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 5 | To require users to log in using their credentials to reconnect to GlobalProtect, enable Force
Authentication.

STEP 6 | Test SAML setup to verify the profile configuration.

This step is required to confirm that your firewall and IdP can communicate.

Cloud Identity Engine Getting Started November 2023 304 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 7 | Select the SAML attributes you want the firewall to use for authentication and Submit the
IdP profile.

You must select the username attribute in the Okta Admin Console for the attribute to
display in the Cloud Identity Engine.

1. In the Okta Admin Console, Edit the User Attributes & Claims.
2. In the Cloud Identity Engine app, select the Username Attribute and optionally, the
Usergroup Attribute, Access Domain, User Domain, and Admin Role.

If you are using the Cloud Identity Engine for SAML authentication with
GlobalProtect Clientless VPN, you must configure the User Domain attribute to
the same value as the userdomain field in the Okta Admin Console (Applications >
Applications > SAML 2.0 > General).

Integrate Okta as a Gallery Application

Palo Alto Networks strongly recommends that you integrate Okta in the Cloud Identity Engine
as a gallery application. Complete the following steps to add and configure the Okta gallery
application in the Cloud Identity Engine. Be sure to complete all the steps here and in the Okta
documentation.
STEP 1 | Log in to the Okta Admin Console and select Applications > Applications.

Cloud Identity Engine Getting Started November 2023 305 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 2 | Click Browse App Catalog.

STEP 3 | Search for and select Palo Alto Networks Cloud Identity Engine.

STEP 4 | Click Add Integration.

STEP 5 | Optionally edit the application name then click Next.

STEP 6 | Verify that SAML 2.0 is selected.

Cloud Identity Engine Getting Started November 2023 306 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 7 | If you enabled Force Authenticationin Step 5, select Applications, select the app you
created, select Sign-On, Edit the Settings, and uncheck Disable Force Authentication.

STEP 8 | Edit and paste the SAML Region.

The SAML Region is based on the Entity ID in the SP Metadata. To obtain the
SAML Region, enter only the text between the backslash in the Entity ID and the
paloaltonetworks.com domain. For example, if the Entity ID is https://cloud-
auth.us.apps.paloaltonetworks.com/sp, the SAML Region is cloud-
auth.us.apps.

STEP 9 | Select the Application username format that you want to use to authenticate the user. For
example, Email represents the UserPrincipalName (UPN) format.

Cloud Identity Engine Getting Started November 2023 307 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 10 | Click Done.

STEP 11 | (Optional) If you want to configure other attributes in addition to the username, refer to the
Okta documentation.

Integrate Okta as a Custom Application

Palo Alto Networks strongly recommends that you Integrate Okta as a Gallery Application.
However, if you want to configure the Okta integration as a custom application, complete the
following steps.
STEP 1 | Log in to the Okta Admin Console and select Applications > Applications.

STEP 2 | Click Create App Integration.

STEP 3 | Verify that SAML 2.0 is selected then click Next.

Cloud Identity Engine Getting Started November 2023 308 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 4 | Enter an App name then click Next.

STEP 5 | Copy the SP Metadata information from the Cloud Identity Engine and enter it in the Okta
Admin Console as described in the following table:

Copy From Cloud Identity Engine Enter in Okta Admin Console

Copy the Entity ID from the SP Metadata Enter it as the Audience URI (SP Entity ID).
page.

Copy the Assertion Consumer Service URL. Enter the URL as the Single sign on URL.

STEP 6 | (Required for custom app) Select a Value for the user attributes (Attribute Statements
(optional)) and optionally enter a Filter for the group attributes (Group Attribute Statements
(optional)) to specify the attribute formats.
You must configure at least one SAML attribute that contains identification information for
the user (usually the username attribute) for the attributes to display in the Cloud Identity
Engine. To configure administrator access, you must also enter a value for the accessdomain
attribute and for the adminrole attribute that match the values on the firewall.

STEP 7 | Click Next, specify whether you are a customer or partner, then click Finish.

STEP 8 | Click Add Rule to define a Sign On Policy that specifies which users and groups must
authenticate with the Okta IdP using the Cloud Identity Engine.

Cloud Identity Engine Getting Started November 2023 309 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 9 | Select Assignments and Assign the users and groups that you require to authenticate using
the Cloud Identity Engine. Save and Go Back to assign more users or groups.

Be sure to assign the account you are using so you can test the configuration when it
is complete. You may need to refresh the page after adding accounts to successfully
complete the test.

STEP 10 | Select Sign On and View Setup Instructions.

STEP 11 | Select the SAML attributes you want the firewall to use for authentication.

Configure PingOne as an IdP in the Cloud Identity Engine

Configure a profile to configure PingOne as an identity provider (IdP) in the Cloud Identity Engine.
After you configure the IdP profile, Configure Cloud Identity Engine Authentication on the
Firewall or Panorama.

Cloud Identity Engine Getting Started November 2023 310 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 1 | Enable the Cloud Identity Engine app in PingOne.

3. Log in to PingOne and select Applications > My Applications > Add Application > New
SAML Application.

Cloud Identity Engine Getting Started November 2023 311 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

4. Enter an Application Name, an Application Description, and select the Category then
Continue to Next Step.
5. Select I have the SAML configuration and ensure the Protocol Version is SAML v 2.0.

6. Click Select File to Upload Metadata

7. Copy the metadata information from the Cloud Identity Engine and enter it in PingOne
as described in the following table:

Cloud Identity Engine Getting Started November 2023 312 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

Copy From Cloud Identity Engine Enter in PingOne

Copy the Entity ID from the SP Metadata Enter it as the Entity ID.
page.

Cloud Identity Engine Getting Started November 2023 313 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

Copy From Cloud Identity Engine Enter in PingOne

Copy the Assertion Consumer Service URL. Enter the URL as the Assertion Consumer
Service (ACS).

8. Select either RSA_SHA384 or RSA_SHA256 as the Signing Algorithm.

9. If you want to require users to log in with their credentials to reconnect to

GlobalProtect, select Force Re-authentication.

Cloud Identity Engine Getting Started November 2023 314 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

10. (Required for MFA) If you want to require multi-factor authentication for your users,
select Force MFA.
11. Click Continue to Next Step to specify the attributes for the users you want to
authenticate using PingOne.
12. Specify the Application Attribute and the associated Identity Bridge Attribute or Literal
Value for your user then select Required.

Be sure to assign the account you are using so you can test the configuration
when it is complete. You may need to refresh the page after adding accounts to
successfully complete the test.

Cloud Identity Engine Getting Started November 2023 315 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

13. Click Add new attribute as needed to include additional attributes then Continue to next
step to specify the group attributes.
14. Add the groups you want to authenticate using PingOne or Search for the groups you
want to add then Continue to next step to review your configuration.

Cloud Identity Engine Getting Started November 2023 316 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

Cloud Identity Engine Getting Started November 2023 317 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 2 | Add PingOne as an authentication type in the Cloud Identity Engine app.
1. Select Authentication Types and click Add New Authentication Type.

2. Set Up a SAML 2.0 authentication type.

3. Enter a Profile Name.

Cloud Identity Engine Getting Started November 2023 318 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

4. Select PingOne as your Identity Provider Vendor.

STEP 3 | Select the method you want to use to Add Metadata and Submit the IdP profile.
• If you want to enter the information manually, copy the identity provider ID and SSO
URL, download the certificate, then enter the information in the Cloud Identity Engine IdP
profile.
1. In PingOne, select Applications > My Applications then select the Cloud Identity Engine
app.
2. Copy the necessary information from PingOne and enter it in the IdP profile on the
Cloud Identity Engine app as indicated in the following table:

Copy or Download From Okta Admin Console Enter in Cloud Identity Engine IdP Profile

Copy the Issuer ID. Enter it as the Identity Provider ID.

Download the Signing Certificate. Click to Upload the certificate from the Okta
Admin Console.

Copy the Initiate Single Sign-On (SSO) URL. Enter the URL as the Identity Provider SSO
URL.

Cloud Identity Engine Getting Started November 2023 319 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

validates IdP messages (default is 60; range is 1–900). If the difference exceeds this
value, authentication fails.
• If you want to upload a metadata file, download the metadata file from your IdP
management system.
1. In PingOne, select Applications > My Applications then select the Cloud Identity Engine
app.
2. Download the SAML Metadata.
3. In the Cloud Identity Engine app, Click to Upload the metadata file, then Open the
metadata file.

The Cloud Identity Engine does not currently support the Get URL method for
PingOne.

STEP 4 | Test SAML setup to verify the profile configuration.

This step is required to confirm that your firewall and IdP can communicate.

STEP 5 | If your IdP is configured to require users to log in using multi-factor authentication (MFA),
select Multi-factor Authentication is Enabled on the Identity Provider.

Cloud Identity Engine Getting Started November 2023 320 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 6 | If you enabled the Force Re-authentication option in Step 1.9, enable the Force
Authentication option to require users to log in with their credentials to reconnect to
GlobalProtect.

Cloud Identity Engine Getting Started November 2023 321 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 7 | Select the SAML attributes you want the firewall to use for authentication and Submit the
IdP profile.
1. In the Okta Admin Console, Edit the User Attributes & Claims.
2. In the Cloud Identity Engine, select the Username Attribute and optionally, the Usergroup
Attribute, Access Domain, User Domain, and Admin Role, then Submit your changes.

You must select the username attribute in the Okta Admin Console for the attribute
to display in the Cloud Identity Engine.

Cloud Identity Engine Getting Started November 2023 322 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

Configure PingFederate as an IdP in the Cloud Identity Engine

STEP 1 | Prepare the metadata for the Cloud Identity Engine app in PingFederate.
1. If you have not already done so, activate the Cloud Identity Engine app.
2. In the Cloud Identity Engine app, select Authentication > SP Metadata > Download SP
Metadata and Save the metadata in a secure location.

3. Log in to PingFederate and select System > SP Affiliations > Protocol Metadata >
Metadata Export.
4. Select I am the Identity Provider (IdP) then click Next.

5. Select information to include in metadata manually then click Next.

Cloud Identity Engine Getting Started November 2023 323 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

6. Select the Signing key you want to use then click Next.
7. Ensure that SAML 2.0 is the protocol then click Next.
8. Click Next as you do not need to define an attribute contract.
9. Select the Signing Certificate and that you want to Include this certificate’s public key
certificate in the <key info> element.

10. Select the Signing Algorithm you want to use then click Next.
11. Select the same certificate as the Encryption certificate then click Next.
12. Review the metadata to verify the settings are correct then Export the metadata.

Cloud Identity Engine Getting Started November 2023 324 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

Cloud Identity Engine Getting Started November 2023 325 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 2 | Add PingFederate as an authentication type in the Cloud Identity Engine app.
1. Select Authentication Types and click Add New Authentication Type.

2. Set Up a SAML 2.0 authentication type.

3. Enter a Profile Name.

Cloud Identity Engine Getting Started November 2023 326 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

4. Select PingFederate as your Identity Provider Vendor.

STEP 3 | Select the method you want to use to Add Metadata and Submit the IdP profile.
• If you want to enter the information manually, copy the identity provider ID and SSO
URL, download the certificate, then enter the information in the Cloud Identity Engine IdP
profile.
1. In PingFederate, select System > OAuth Settings > Protocol Settings to copy the Base
URL and SAML 2.0 Entity.
2. Copy the necessary information from PingFederate and enter it in the IdP profile on the
Cloud Identity Engine app as indicated in the following table:

Copy or Download From PingFederate Enter in Cloud Identity Engine IdP Profile

Copy the SAML 2.0 Entity ID. Enter it as the Identity Provider ID.

Copy the Base URL. Enter the URL as the Identity Provider SSO
URL.

3. In PingFederate, select Security > Signing & Decryption Keys & Certificates to Export
the certificate you want to use.
4. In the Cloud Identity Engine app, Click to Upload the PingFederate certificate.
5. Select the HTTP Binding for SSO Request to IdP method you want to use for the SAML
binding that allows the firewall and IdP to exchange request and response messages
(HTTP Redirect, which transmits SAML messages through URL parameters or HTTP
Post, which transmits SAML messages using base64-encoded HTML).
6. Specify the Maximum Clock Skew (seconds), which is the allowed difference in seconds
between the system times of the IdP and the firewall at the moment when the firewall

Cloud Identity Engine Getting Started November 2023 327 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

validates IdP messages (default is 60; range is 1–900). If the difference exceeds this
value, authentication fails.
• If you want to upload a metadata file, download the metadata file from your IdP
management system.
1. Locate the metadata file from the first step.
2. In the Cloud Identity Engine app, Click to Upload the metadata file, then Open the
metadata file.

The Cloud Identity Engine does not currently support the Get URL method for
PingFederate.

STEP 4 | Test SAML setup to verify the profile configuration.

This step is required to confirm that your firewall and IdP can communicate.

STEP 5 | If your IdP is configured to require users to log in using multi-factor authentication (MFA),
select Multi-factor Authentication is Enabled on the Identity Provider.

Cloud Identity Engine Getting Started November 2023 328 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 6 | Select the SAML attributes you want the firewall to use for authentication and Submit the
IdP profile.
1. In the Cloud Identity Engine, select the Username Attribute.
2. (Optional) Select the Usergroup Attribute, Access Domain, User Domain, and Admin Role.

Cloud Identity Engine Getting Started November 2023 329 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

Configure Google as an IdP in the Cloud Identity Engine

STEP 1 | Prepare to configure Google as an IdP in the Cloud Identity Engine.
1. If you have not already done so, activate the Cloud Identity Engine app.
2. In the Cloud Identity Engine app, select Authentication > SP Metadata > Download SP
Metadata and Save the metadata in a secure location.

3. Log in to the Google Admin Console and select Apps > SAML Apps.

4. Select Add App > Add custom SAML app.

Cloud Identity Engine Getting Started November 2023 330 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

5. Enter an App name then Continue to the next step.

6. Click Download Metadata to Download IdP metadata then Continue to the next step.

7. Copy the metadata information from the Cloud Identity Engine and enter it in the
Google Admin Console as described in the following table then Continue to the next
step:

Cloud Identity Engine Getting Started November 2023 331 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

Copy From Cloud Identity Engine Enter in Google Admin Console

Copy the Entity ID from the SP Metadata Enter it as the Entity ID.
page.

Cloud Identity Engine Getting Started November 2023 332 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

Copy From Cloud Identity Engine Enter in Google Admin Console

Copy the Assertion Consumer Service URL. Enter the URL as the ACS URL.

8. Add mapping to select the Google Directory attributes then specify the corresponding
App attributes. Repeat for each attribute you want to use then click Finish when the
changes are complete.

9. View details to specify the users and groups you want to authenticate with Google and
enable the app to turn it ON for everyone then Save your changes.

10. Select Directory > Users to specify the users you want to authenticate using Google.

Cloud Identity Engine Getting Started November 2023 333 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

Cloud Identity Engine Getting Started November 2023 334 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 2 | Add Google as an authentication type in the Cloud Identity Engine app.
1. Select Authentication Types and click Add New Authentication Type.

2. Set Up a SAML 2.0 authentication type.

3. Enter a Profile Name.

Cloud Identity Engine Getting Started November 2023 335 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

4. Select Google as your Identity Provider Vendor.

Cloud Identity Engine Getting Started November 2023 336 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 3 | Select the method you want to use to Add Metadata and Submit the profile.
• If you want to enter the information manually, copy the identity provider ID and SSO
URL, download the certificate, then enter the information in the Cloud Identity Engine IdP
profile.
1. In the Google Admin Console, select the Cloud Identity Engine app and Download
Metadata.

2. Click Download Metadata then copy the necessary information from Google and enter it
in the IdP profile on the Cloud Identity Engine app as indicated in the following table:

Copy or Download From Google Admin Enter in Cloud Identity Engine IdP Profile
Console

Copy the Entity ID. Enter it as the Identity Provider ID.

Download the Certificate. Click to Upload the certificate from Google.

Cloud Identity Engine Getting Started November 2023 337 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

Copy or Download From Google Admin Enter in Cloud Identity Engine IdP Profile
Console

Copy the SSO URL. Enter the URL as the Identity Provider SSO
URL.

3. Select the HTTP Binding for SSO Request to IdP method you want to use for the SAML
binding that allows the firewall and IdP to exchange request and response messages
(HTTP Redirect, which transmits SAML messages through URL parameters or HTTP
Post, which transmits SAML messages using base64-encoded HTML).
4. Specify the Maximum Clock Skew (seconds), which is the allowed difference in seconds
between the system times of the IdP and the firewall at the moment when the firewall
validates IdP messages (default is 60; range is 1–900). If the difference exceeds this
value, authentication fails.
• If you want to upload a metadata file, download the metadata file from your IdP
management system.
1. In the Google Admin Console, select the Cloud Identity Engine app and Download
Metadata.
2. Click Download Metadata and Save the file to a secure location.
3. In the Cloud Identity Engine app, Click to Upload the metadata file, then Open the
metadata file.

The Cloud Identity Engine does not currently support the Get URL method for Google.

Cloud Identity Engine Getting Started November 2023 338 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 4 | Test SAML setup to verify the profile configuration.

This step is required to confirm that your firewall and IdP can communicate.

STEP 5 | Select the SAML attributes you want the firewall to use for authentication and Submit the
IdP profile.
Select the Username Attribute and optionally, the Usergroup Attribute, Access Domain, User
Domain, and Admin Role.

Cloud Identity Engine Getting Started November 2023 339 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

Configure a Client Certificate

To use a client certificate to authenticate users, configure a certificate authority (CA) and client
certificate.

Cloud Identity Engine Getting Started November 2023 340 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 1 | Configure a Certificate Authority (CA) chain to authenticate users.

Upload the CA chain, including the root certificate and any intermediate certificates, that
issues the client certificate. The Cloud Identity Engine supports multiple intermediate
certificates but does not support sibling intermediate certificates in a single CA chain.
1. In the Cloud Identity Engine app, select Authentication > CA Chains > Add CA Chain.

2. Enter the necessary information for the CA chain profile.

• CA Name—Enter a unique name to identify the CA chain in the Cloud Identity Engine
tenant.
• Upload Certificate—Drag and drop file(s) here or Browse files to your CA certificate
then Open the certificate to select it.

The file must end in the .crt or .pem file extension.

Cloud Identity Engine Getting Started November 2023 341 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

• Certificate Revocation List Endpoint (Optional)—(Optional but recommended) Specify

the URL for the certificate revocation list (CRL) list that you want the Cloud Identity
Engine to use to validate the client certificate.
3. Submit the changes to complete the configuration.

STEP 2 | In the Cloud Identity Engine app, select Authentication > Authentication Types > Add New
Authentication Type.

Cloud Identity Engine Getting Started November 2023 342 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 3 | Select Client Certificate > Set Up.

STEP 4 | Enter a unique Authentication Type Name for the client certificate.

Cloud Identity Engine Getting Started November 2023 343 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 5 | Select the Username Field that you want the Cloud Identity Engine to use to authenticate
users.

Select the Username Field based on the attribute type of the client certificate that you
want to use to authenticate the user; for example, if the username is defined in the
client certificate using Subject, select Subject.

STEP 6 | Configure the Username Attribute based on the previous step and the attribute that your
client certificate uses to authenticate users.
• If the Username Field is Subject, the Username Attribute is CN.
• If the Username Field is Subject Alt Name, select Email or User Principal Name based on
the attribute that your client certificate specifies.

Cloud Identity Engine Getting Started November 2023 344 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 7 | Click Add CA Chain to add one or more CA chains to authenticate users.

STEP 8 | Enter a search term in the Search CA Chain field or select a CA chain you previously
configured and Add it to the configuration.
The Cloud Identity Engine supports grouping multiple CA chains in a certificate type to
authenticate client certificates issued by multiple CA chains.

STEP 9 | Submit your changes to configure the authentication type.

Cloud Identity Engine Getting Started November 2023 345 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

Set Up an Authentication Profile

Configure an authentication profile to use to authenticate users with the Cloud Identity Engine.
You can specify one or more authentication types by group or by directory or for all directories.

To use more than one authentication type in your authentication profile, you must
configure a directory in the Cloud Identity Engine. For a single client certificate
authentication type, configuring a directory in the Cloud Identity Engine is optional. There
is no directory requirement for a single SAML 2.0-compliant authentication type.

STEP 1 | Select Authentication > Authentication Profiles then Add Authentication Profile.

STEP 2 | If you have not already done so, Configure a SAML 2.0 Authentication Type or Configure a
Client Certificate to use as an authentication type.

STEP 3 | Enter a unique Profile Name.

Cloud Identity Engine Getting Started November 2023 346 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 4 | Select the Authentication Mode.

• If you select Single as the authentication mode, click Select authentication type and select
the authentication type you want to use.

Cloud Identity Engine Getting Started November 2023 347 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

• If either of the following apply to your configuration, select the Directory Sync Username
Attribute and Directory Sync Group Attribute.
• You selected Multiple as the Authentication Mode and you have configured a client
certificate.
• You selected Single and the Authentication Type is Client Certificate.

To successfully authenticate users using a client certificate, the value of the

Directory Sync Username Attribute must match the value of the Username
Attribute you select when you configure the Client Certificate Authentication Type.

Cloud Identity Engine Getting Started November 2023 348 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

Cloud Identity Engine Getting Started November 2023 349 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 5 | (Multiple Authentication Mode only) Define the Authentication mapping order by selecting
the configured authentication types that you want to use to authenticate users.

STEP 6 | (Multiple Authentication Mode only) During authentication, the Cloud Identity Engine uses
the given user identity information to obtain the directory group information for the user
to determine if the user’s group has an assigned authentication type. If the user belongs to

Cloud Identity Engine Getting Started November 2023 350 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

multiple groups, the Cloud Identity Engine uses the first authentication type you assign to
the group for user authentication.

Cloud Identity Engine Getting Started November 2023 351 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 7 | Select the Default authentication type that you want the Cloud Identity Engine to use to
authenticate users if the user is not in an assigned group.

As a best practice, assign an authentication type for each group you want to
authenticate using the Cloud Identity Engine.

Cloud Identity Engine Getting Started November 2023 352 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 8 | Choose directories and groups by selecting a directory or selecting All Directories.

You can also search by Directory Sync Group Attribute (such as Common-Name).

Cloud Identity Engine Getting Started November 2023 353 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

Cloud Identity Engine Getting Started November 2023 354 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 9 | Select the group or groups from each directory that you want to authenticate using the
authentication type you select in the next step.

Cloud Identity Engine Getting Started November 2023 355 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 10 | Select an authentication type and Assign it to assign this authentication type to the group or
groups you selected.

Cloud Identity Engine Getting Started November 2023 356 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 11 | Review your selections by authentication type or select All Authentication Types to see all
assigned groups.

STEP 12 | Submit your changes to configure the authentication profile.

Cloud Identity Engine Getting Started November 2023 357 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

Configure Cloud Identity Engine Authentication on the

Firewall or Panorama
After you Configure the Cloud Identity Engine as a Mapping Source on the Firewall or Panorama
and Configure a SAML 2.0 Authentication Type, Configure a Client Certificate, or both, you can
create an authentication profile that redirects users to the authentication type (either a client
certificate or a SAML 2.0-compliant identity provider) you configure for authentication.
If you use Panorama to manage your firewalls, configure an authentication profile in Panorama
then push the authentication profile to the managed firewalls.

Some steps in the following procedure are required only if you want to configure an
authentication policy rule on the firewall using the Cloud Identity Engine and aren’t
required if you want to authenticate administrators or to authenticate users with Prisma
Access or GlobalProtect. These steps are indicated below.

Cloud Identity Engine Getting Started November 2023 358 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 1 | Configure an authentication profile to use the Cloud Authentication Service.

1. On the firewall, select Device > Authentication Profile.

2. Enter a Name for the authentication profile.

3. Select Cloud Authentication Service as the Type.
4. Select the Region of your Cloud Identity Engine tenant.
For more information on regions, refer to Activate the Cloud Identity Engine.
5. Select the Cloud Identity Engine Instance you want to use for this authentication profile.
For more information on Cloud Identity Engine tenants, refer to Cloud Identity Engine
Tenants.
6. Select an authentication Profile that specifies the authentication type you want to use to
authenticate users.
7. Specify the Maximum Clock Skew (seconds), which is the allowed difference in seconds
between the system times of the IdP and the firewall at the moment when the firewall
validates IdP messages (default is 60; range is 1–900). If the difference exceeds this
value, authentication fails.
8. Select Force multi-factor authentication in cloud if your IdP is configured to require
users to log in using multi-factor authentication (MFA).

STEP 2 | (Required for authentication policy rule only) Configure the Authentication Portal settings to
use the authentication profile.
1. Select Device > User Identification > Authentication Portal Settings.
2. Edit the settings and select the Authentication Profile from the first step.
3. Select Redirect as the Mode.
For more information on how to configure redirect mode, refer to Configure
Authentication Portal.
4. Click OK.

Cloud Identity Engine Getting Started November 2023 359 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 3 | (Required for authentication policy rule only) Create an Authentication Enforcement object
that uses the authentication profile to redirect users to log in using their authentication type.
1. Select Objects > Authentication.
2. Add an Authentication Enforcement object and enter a Name for the object.
3. Select web-form as the Authentication Method.
4. Select the Authentication Profile from the first step.
5. (Optional) Enter a Message to display to users.
6. Click OK.

STEP 4 | Create a URL list as a custom URL category to allow the necessary traffic for the Cloud
Identity Engine.
1. If you don’t need to strictly limit traffic to your region, you can enter
*.apps.paloaltonetworks.com. Otherwise, determine your region-based URL
using the show cloud-auth-service-regions command to display the URLs for
the region associated with your Cloud Identity Engine tenant and enter each region-
based URL. The following table includes the URLs for each region:

Region Cloud Identity Engine Region-Based URL

United States cloud-auth.us.apps.paloaltonetworks.com

cloud-auth-
service.us.apps.paloaltonetworks.com

Europe cloud-auth.nl.apps.paloaltonetworks.com
cloud-auth-
service.nl.apps.paloaltonetworks.com

United Kingdom cloud-auth.uk.apps.paloaltonetworks.com

cloud-auth-
service.uk.apps.paloaltonetworks.com

Singapore cloud-auth.sg.apps.paloaltonetworks.com
cloud-auth-
service.sg.apps.paloaltonetworks.com

Canada cloud-auth.ca.apps.paloaltonetworks.com
cloud-auth-
service.ca.apps.paloaltonetworks.com

Japan cloud-auth.jp.apps.paloaltonetworks.com
cloud-auth-
service.jp.apps.paloaltonetworks.com

Australia cloud-auth.au.apps.paloaltonetworks.com

Cloud Identity Engine Getting Started November 2023 360 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

Region Cloud Identity Engine Region-Based URL

cloud-auth-
service.au.apps.paloaltonetworks.com

Germany cloud-auth.de.apps.paloaltonetworks.com
cloud-auth-
service.de.apps.paloaltonetworks.com

United States - Government cloud-auth-

service.gov.apps.paloaltonetworks.com
cloud-auth.gov.apps.paloaltonetworks.com

India cloud-auth-
service.in.apps.paloaltonetworks.com
cloud-auth.in.apps.paloaltonetworks.com

Switzerland cloud-auth-
service.ch.apps.paloaltonetworks.com
cloud-auth.ch.apps.paloaltonetworks.com

Spain cloud-auth-
service.es.apps.paloaltonetworks.com
cloud-auth.es.apps.paloaltonetworks.com

Italy cloud-auth-
service.it.apps.paloaltonetworks.com
cloud-auth.it.apps.paloaltonetworks.com

France cloud-auth-
service.fr.apps.paloaltonetworks.com
cloud-auth.fr.apps.paloaltonetworks.com

China cloud-auth-service.cn.apps.prismaaccess.cn
cloud-auth.cn.apps.prismaaccess.cn

This region is only accessible in the Cloud

Identity Engine within the specified region.

Poland cloud-auth-
service.pl.apps.paloaltonetworks.com
cloud-auth.pl.apps.paloaltonetworks.com

Cloud Identity Engine Getting Started November 2023 361 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

Region Cloud Identity Engine Region-Based URL

Qatar cloud-auth-
service.qa.apps.paloaltonetworks.com
cloud-auth.qa.apps.paloaltonetworks.com

Taiwan cloud-auth-
service.tw.apps.paloaltonetworks.com
cloud-auth.tw.apps.paloaltonetworks.com

Israel cloud-auth-
service.il.apps.paloaltonetworks.com
cloud-auth.il.apps.paloaltonetworks.com

Indonesia cloud-auth-
service.id.apps.paloaltonetworks.com
cloud-auth.id.apps.paloaltonetworks.com

2. Enter the URLs that your IdP requires for user authentication (for example,
*.okta.com).

STEP 5 | Create a security policy rule to allow traffic to the authentication type and Cloud Identity
Engine and select the custom URL category as the match criteria.

STEP 6 | Create a internet management profile in the trusted zone and enable response pages.

STEP 7 | (Required for authentication policy rule only) Configure an Authentication policy rule to use
the Authentication Enforcement object and allow traffic to the custom URL category.

STEP 8 | (Panorama only) If you use Panorama to manage multiple firewalls, configure the Cloud
Identity Engine for Panorama.
1. Select the Cloud Identity Engine authentication method you want to use with Panorama.
• To configure the Cloud Identity Engine in an authentication profile for managed
devices, select Device > Authentication Profile.
• To use the Cloud Identity Engine in an authentication profile for Panorama
administrators, select Panorama > Authentication Profile.
2. Select Panorama > Setup > Management and Edit the Authentication Settings, then
select the Authentication Profile for the Cloud Identity Engine tenant you want to
associate with Panorama.
3. Select Panorama > Device Groups and Add or Edita device group.
4. Select the Cloud Identity Engine and Add the Cloud Identity Engine tenant you want to
associate with Panorama then click OK.

Cloud Identity Engine Getting Started November 2023 362 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 9 | Commit your changes and verify that the firewall redirects authentication requests to the
Cloud Authentication Service.
1. On the client device, use the browser to access a webpage that requires authentication.
2. Confirm that the access request redirects to the Cloud Authentication Service.
3. Enter your credentials to log in.

Cloud Identity Engine Getting Started November 2023 363 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

Configure the Cloud Identity Engine as a Mapping

Source on the Firewall or Panorama
When you configure the Cloud Identity Engine as a User-ID source, the firewall or Panorama
retrieves the group mapping information from the Cloud Identity Engine. You can then use the
group information from the Cloud Identity Engine to create and enforce group-based security
policy rules. The Cloud Identity Engine retrieves the information for your tenant based on your
device certificate. It also uses the Palo Alto Networks Services service route, so make sure to
allow traffic for this service route or configure a custom service route.

To ensure that the Cloud Identity Engine can successfully retrieve users and groups, all
user or group names must meet the following requirements: the name is case-sensitive and
can have up to 63 characters on the firewall or up to 31 characters on Panorama. It must
be unique and use only letters, numbers, hyphens, and underscores.

STEP 1 | On the firewall, select Device > User Identification > Cloud Identity Engine and Add a
profile.
On Panorama, to configure the Cloud Identity Engine as a User-ID source for managed
devices, select Device > User Identification > Cloud Identity Engine. To configure the Cloud
Identity Engine as a User-ID source for Panorama administrators, select Panorama > User
Identification > Cloud Identity Engine.

Cloud Identity Engine Getting Started November 2023 364 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 2 | For the Instance, specify each of the following:

• Region—Select the regional endpoint for your tenant.

The region you select must match the region you select when you activate your
Cloud Identity Engine tenant.
• Cloud Identity Engine Instance—If you have more than one tenant, select the tenant you
want to use.
• Domain—Select the domain that contains the directories you want to use.
• Update Interval (min)—Enter the number of minutes that you want the firewall to wait
between updates from the Cloud Identity Engine app to the firewall (also known as a
refresh interval). The default is 60 minutes and the range is 5—1440.

STEP 3 | Verify that the profile is Enabled.

Cloud Identity Engine Getting Started November 2023 365 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

STEP 4 | For the User Attributes, select the format for the Primary Username. You can optionally
select the formats for the E-Mail and an Alternate Username. You can configure up to three
alternate username formats if your users log in using multiple username formats.

STEP 5 | For the Group Attributes, select the format for the Group Name.

STEP 6 | For the Device Attributes, select the Endpoint Serial Number.
If you are using GlobalProtect and you have enabled Serial Number Check, select the Endpoint
Serial Number option to allow the Cloud Identity Engine to collect serial numbers from

Cloud Identity Engine Getting Started November 2023 366 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

managed endpoints. This information is used by the GlobalProtect portal to check if the serial
number exists in the directory for verification that the endpoint is managed by GlobalProtect.

STEP 7 | Click OK then Commit your changes.

STEP 8 | Configure security policy rules for your users (for example, by specifying one or more users
or groups that the firewall retrieves from the Cloud Identity Engine as the Source User).
The firewall collects attributes only for the users and groups that you use in security policy
rules, not all users and groups in the directory.

STEP 9 | Verify that the firewall has the mapping information from the Cloud Identity Engine.
1. On the client device, use the browser to access a web page that requires authentication.
2. Enter your credentials to log in.
3. On the firewall, use the show user ip-user-mapping all command to verify that
the mapping information is available to the firewall.

Cloud Identity Engine Getting Started November 2023 367 ©2023 Palo Alto Networks, Inc.
Authenticate Users with the Cloud Identity Engine

Cloud Identity Engine Getting Started November 2023 368 ©2023 Palo Alto Networks, Inc.
Troubleshoot the Cloud Identity
Engine
If you are encountering issues with the Cloud Identity Engine, refer the following topics for
common issues and their solutions.
• Cloud Identity Engine Troubleshooting Checklist
• Troubleshoot Cloud Identity Engine Issues
• Use the Log Viewer for Troubleshooting
• Monitor Cloud Identity Engine Status

369
Troubleshoot the Cloud Identity Engine

Cloud Identity Engine Troubleshooting Checklist

Use the checklist below to troubleshoot general issues such as configuration or connection issues
for the Cloud Identity Engine. After each task, check if the issue still exists before attempting the
next task.
STEP 1 | Confirm that your configuration meets the system requirements.

STEP 2 | Use the Palo Alto Networks services status page (status.paloaltonetworks.com) to confirm
that the Cloud Identity Engine service is active.

STEP 3 | Use the system logs on the firewall associated with your Cloud Identity Engine tenant to
check the Cloud Identity Engine status for any issues.

STEP 4 | (On-premises Active Directory only) Confirm that you have configured your network to allow
Cloud Identity Engine traffic.

STEP 5 | (On-premises Active Directory only) Confirm your configuration is correct.

On the agent host:
Confirm you have administrator privileges for the agent host so that you can install and
configure the agent.
Confirm that the Protocol you specify for the agent is supported and enabled on the
agent host.
Close the agent and restart it.
Clear the DNS cache by entering the following command from an administrative
command prompt: ipconfig /flushdns.
Confirm the server where you installed the agent meets the system requirements.
On the agent:
Stop and restart the connection to the Cloud Identity Engine service.
Confirm that the Bind DN and Bind Password are correct.
Confirm that the region for the Cloud Identity Engine in your Cloud Identity
Configuration matches the region for your tenant.
Confirm that the Domain is a fully qualified domain name and the specified Port on the
Active Directory server allows communication with the Cloud Identity agent.
Try increasing your Bind Timeout and Search Timeout to allow more time for the agent
to connect and the search to complete.
In the app:
Check the Agents & Certificates page to verify you are using the latest version of the
agent.
Check the Directories and Agents & Certificates pages to confirm the domains the agent
is monitoring are correct.
Check the Directories page to confirm the NetBIOS Name is not empty. If the NetBIOS
Name is empty, correct the domain name in the Cloud Identity agent and commit

Cloud Identity Engine Getting Started November 2023 370 ©2023 Palo Alto Networks, Inc.
Troubleshoot the Cloud Identity Engine

your changes. Wait at least five minutes before using the Directories page to verify
the domain name and NetBIOS name are now correct, then remove the entry for the
incorrect domain in the app.

STEP 6 | (On-premises Active Directory only) Check the status of your certificates.
On the agent host:
If you are using LDAPS or LDAP with STARTTLS, confirm the root and intermediate
CA certificates that were used to issue your domain controller certificates are valid and
available in the Local Computer Trusted Root CA.
Confirm that you are not using a certificate that was generated for another tenant and
that the certificate is not used for another agent or service.
Confirm you have generated a unique certificate in the Cloud Identity Engine app for
each agent and that it is available in the Local Computer certificate store of the agent
host.
In the app:
Check the Agents & Certificates page to verify that the agent has an associated
Certificate.
Check the Agents & Certificates page to verify that the certificate status is not expired
or revoked.

STEP 7 | (On-premises Active Directory only) Confirm all connections are active.
On the agent:
Check the Cloud Identity Configuration to verify that the agent status is Running.
Check the LDAP Configuration is valid and Test Connectivity to AD to confirm the
connection to your Active Directory is active.
View the Monitoring page to confirm the agent is Connected to the Cloud Identity
Engine.
Check when the Last Update to Cloud Identity Engine was successful to determine the
last time the agent was able to connect to the service.
Check when the Last LDAP Fetch was successful to determine the last time the agent
was able to connect to your Active Directory.
In the app:
Check the Directories page for the Sync Status to determine if the last sync between the
agent and the service was successful.
Check when the attributes were Last Updated by your Active Directory.
Check the Agents & Certificates page to confirm the agent’s Status is Online.

STEP 8 | (Cloud-based directory only) If you are experiencing issues with your cloud-based directory:
Reconnect your directory to your Cloud Identity Engine tenant.
Verify your directory credentials are correct.
Verify that you have granted the permissions that the Cloud Identity Engine requires.

Cloud Identity Engine Getting Started November 2023 371 ©2023 Palo Alto Networks, Inc.
Troubleshoot the Cloud Identity Engine

If you are still encountering issues:

• (On-premises Active Directory only) Use the Cloud Identity agent logs to review the errors
logged by the agent.
• Learn more about how to troubleshoot specific errors.
• Find out how to Get Help.

Cloud Identity Engine Getting Started November 2023 372 ©2023 Palo Alto Networks, Inc.
Troubleshoot the Cloud Identity Engine

Troubleshoot Cloud Identity Engine Issues

If you are encountering specific issues when using the Cloud Identity Engine, refer to the
following table for common issues and solutions. If you are still experiencing issues, be
sure to review how to Monitor Cloud Identity Engine Status and the Cloud Identity Engine
Troubleshooting Checklist.

What Do I Do If... Resolution

When I click Create to create the SCIM Refresh the page and recreate the SCIM
Connector application in the Azure AD Connector application.
Portal, a Not found error displays.

The Azure AD Portal displays that the sync If the user and group count does not display,
is complete and there is a steady state for the sync is not fully complete. To resolve the
the SCIM Connector, but the user and group issue, complete the following steps:
count does not display.
1. Verify the provisioning mappings, scope,
and other settings are correct.
2. Restart provisioning and wait for the sync
to complete.

The sync for the SCIM Connector is unable Group names must be unique; resolve the
to complete due to duplicate group names. duplicate group names so that they are unique
and Restart provisioning.
If you are unable to resolve the duplicate
group names and you don’t need data from
the duplicate groups or to use them in security
policy, you can continue the setup.

I checked the status of the agent on the While the domain is being synced, the In
Directories page and the status is “In Progress status appears on the Directories
Progress” but no groups or OUs are listed. page. If this is the first time the Cloud Identity
Engine is syncing the domain, the groups and
OUs may take some time to appear. If they do
not display, delete then re-create the Cloud
Identity Engine tenant and add the domain(s)
again.

The hub does not redirect to display my If this issue occurs, contact support (see Get
Cloud Identity Engine tenants or displays a Help).
blank page.

Cloud Identity Engine Getting Started November 2023 373 ©2023 Palo Alto Networks, Inc.
Troubleshoot the Cloud Identity Engine

Use the Log Viewer for Troubleshooting

To troubleshoot authentication issues with identity providers or the firewall, use the Log Viewer
to review messages to the log.

Each authentication phase generates at least two log entries, with the exception of SAML
authentication using multiple CA chains in a certificate type, which generates three log
entries.

STEP 1 | In the Cloud Identity Engine app, select Authentication > Log Viewer.

Cloud Identity Engine Getting Started November 2023 374 ©2023 Palo Alto Networks, Inc.
Troubleshoot the Cloud Identity Engine

STEP 2 | To ensure the page displays the latest data, click Apply Search/Refresh.

STEP 3 | Use the Date selector to search based on when the issue occurred.

STEP 4 | Select the number of results you want to Show on each page.

STEP 5 | Select whether you want to display the results in order of Newest first or Newest last.

STEP 6 | Select a Profile to restrict the search results to a specific identity provider (IdP) profile.

STEP 7 | Select the Status you want to display (All Status, Success, or Fail).

STEP 8 | To Search by keyword, enter a search term and Apply Search.

Cloud Identity Engine Getting Started November 2023 375 ©2023 Palo Alto Networks, Inc.
Troubleshoot the Cloud Identity Engine

STEP 9 | To view the SAML request and response and the JSON web token (JWT), select the Details
( ) for the row that contains the data you want to view.
The log details display, allowing you to review the Data Received by the Cloud Identity Engine

from your IdP and the Data Sent by the IdP to the Cloud Identity Engine. You can copy ( )
the text to use for troubleshooting.

STEP 10 | Review the results to look for entries that indicate issues.

STEP 11 | (Optional) Export the results as a .CSV file.

Cloud Identity Engine Getting Started November 2023 376 ©2023 Palo Alto Networks, Inc.
Troubleshoot the Cloud Identity Engine

Monitor Cloud Identity Engine Status

The firewall that you associate with your Cloud Identity Engine tenant checks the Cloud Identity
Engine daily for any errors or issues (for example, an expired certificate or a missing identity
provider profile).
The firewall logs any errors that it detects in the system logs using the event type cas-message.
If you encounter issues with your Cloud Identity Engine, be sure to review the system logs on
your firewall to help troubleshoot the issue.

Cloud Identity Engine Getting Started November 2023 377 ©2023 Palo Alto Networks, Inc.
Troubleshoot the Cloud Identity Engine

Cloud Identity Engine Getting Started November 2023 378 ©2023 Palo Alto Networks, Inc.
Get Help
The following topics provide information on where to find more about this release and how to
request support:
• Related Documentation
• Request Support

379
Get Help

Related Documentation
For more detailed information on how to use the Cloud Identity Engine, refer to the Cloud
Identity Engine Getting Started Guide. For help with other Palo Alto Networks products, refer to
the following documentation on the Technical Documentation portal or search the documentation
for more information on our products:
• Cloud Identity Engine Release Notes—Provides information about recent changes to the Cloud
Identity Engine, including system requirements and known issues.
• Cloud Identity Agent Help—Provides guidance on the user interface for the Cloud Identity
agent.
• Cortex Documentation—Learn how to extend the next-generation security platform into the
cloud for simplified deployment and reduced infrastructure and operational overhead.
• Prisma Access—Learn more about using Prisma Access with the Cloud Identity Engine to easily
implement user-based security policy and decryption.
• Hub Getting Started Guide—Read the Getting Started Guide to learn how to use the hub to
activate and access your hub apps and services.

Request Support
For contacting support, for information on support programs, to manage your account or devices,
or to open a support case, refer to https://support.paloaltonetworks.com.
You can also use the Palo Alto Networks® Contact Information as needed.
To provide feedback on the documentation, please write to us at:
documentation@paloaltonetworks.com.

Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
https://www.paloaltonetworks.com/company/contact-support
Palo Alto Networks, Inc.
www.paloaltonetworks.com

Securebasebook PDF
No ratings yet
Securebasebook PDF
184 pages
NetBrain System Setup Guide HA
No ratings yet
NetBrain System Setup Guide HA
127 pages
OffSec Live-PEN200
No ratings yet
OffSec Live-PEN200
28 pages
Palo Alto Basic Lab Setup
No ratings yet
Palo Alto Basic Lab Setup
10 pages
Nmap Nessus Cheat Sheet
100% (2)
Nmap Nessus Cheat Sheet
1 page
EOSDH
No ratings yet
EOSDH
78 pages
Securityonion PDF
No ratings yet
Securityonion PDF
246 pages
Prisma Cloud Identity Based Microsegmentation
No ratings yet
Prisma Cloud Identity Based Microsegmentation
5 pages
CIS Palo Alto Firewall 10 Benchmark v1.1.0
No ratings yet
CIS Palo Alto Firewall 10 Benchmark v1.1.0
210 pages
Day 2
No ratings yet
Day 2
37 pages
CIS PfSense Firewall Benchmark v1.1.0
No ratings yet
CIS PfSense Firewall Benchmark v1.1.0
92 pages
Fortiproxy: SSL Inspection
No ratings yet
Fortiproxy: SSL Inspection
6 pages
Palo Vm-Series-Deployment
No ratings yet
Palo Vm-Series-Deployment
1,094 pages
EDU 220 81 B Mod07 AdministrativeAccounts 636736804075439000
No ratings yet
EDU 220 81 B Mod07 AdministrativeAccounts 636736804075439000
25 pages
Incident Response
No ratings yet
Incident Response
43 pages
© 2018 Caendra, Inc. - Hera For PTP - SNMP Analysis
No ratings yet
© 2018 Caendra, Inc. - Hera For PTP - SNMP Analysis
13 pages
How To Implement SSL Decryption PDF
No ratings yet
How To Implement SSL Decryption PDF
11 pages
Corelight's Introductory Guide To Threat Hunting With Zeek (Bro) Logs
No ratings yet
Corelight's Introductory Guide To Threat Hunting With Zeek (Bro) Logs
6 pages
2 AFA Foundations - Overview A32
No ratings yet
2 AFA Foundations - Overview A32
29 pages
HCIA Storage Training Material V4.0 Разблокирован (001 064)
No ratings yet
HCIA Storage Training Material V4.0 Разблокирован (001 064)
64 pages
Ps Admin
No ratings yet
Ps Admin
131 pages
Suricata, Pfsense and WAZUH
No ratings yet
Suricata, Pfsense and WAZUH
9 pages
Red Hat System Administration I 3.6 Practice
No ratings yet
Red Hat System Administration I 3.6 Practice
8 pages
Building Virtual Machine Labs 2nd Edition Tony Robinson 2024 Scribd Download
100% (1)
Building Virtual Machine Labs 2nd Edition Tony Robinson 2024 Scribd Download
79 pages
eWPTX Preparation by Joas
No ratings yet
eWPTX Preparation by Joas
1 page
Snort Presentation
No ratings yet
Snort Presentation
24 pages
Firewall Types
No ratings yet
Firewall Types
8 pages
LAB - Creating Rules
No ratings yet
LAB - Creating Rules
31 pages
SandBlast Network PTK Training Labs-V7.12 CloudShare
No ratings yet
SandBlast Network PTK Training Labs-V7.12 CloudShare
60 pages
Carlosgarcia Slides 180312234839
No ratings yet
Carlosgarcia Slides 180312234839
96 pages
26.1.7 Lab - Snort and Firewall Rules
100% (1)
26.1.7 Lab - Snort and Firewall Rules
8 pages
Big-Ip Virtual Edition and Vmware Esxi: Setup
No ratings yet
Big-Ip Virtual Edition and Vmware Esxi: Setup
26 pages
NICF - Linux System Administration (SF) : 20 Slides Supplement To The Trainer's PP File Form Linux Foundation
No ratings yet
NICF - Linux System Administration (SF) : 20 Slides Supplement To The Trainer's PP File Form Linux Foundation
22 pages
APAC Splunk Attack Analyzer Webinar
No ratings yet
APAC Splunk Attack Analyzer Webinar
47 pages
aws_commands
No ratings yet
aws_commands
11 pages
Securing Your Network With Pfsense: Ilta-U Dale Qualls Pattishall, Mcauliffe, Newbury, Hilliard & Geraldson LLP
No ratings yet
Securing Your Network With Pfsense: Ilta-U Dale Qualls Pattishall, Mcauliffe, Newbury, Hilliard & Geraldson LLP
86 pages
CP R81.10 QoS AdminGuide
No ratings yet
CP R81.10 QoS AdminGuide
111 pages
Oil Spill Contingency Plan
No ratings yet
Oil Spill Contingency Plan
70 pages
8 Steps To A DDoS Mitigation Plan - GD 1
No ratings yet
8 Steps To A DDoS Mitigation Plan - GD 1
2 pages
Introduction To AMSI Bypasses and Sandbox Evasion
No ratings yet
Introduction To AMSI Bypasses and Sandbox Evasion
109 pages
Module 7 Security Misconfiguration Lab
No ratings yet
Module 7 Security Misconfiguration Lab
4 pages
How To Write A Vulnerability Assessment Report
No ratings yet
How To Write A Vulnerability Assessment Report
14 pages
Vlab Demo - Using ASM For Web Vulnerabilities - v12.0.C PDF
No ratings yet
Vlab Demo - Using ASM For Web Vulnerabilities - v12.0.C PDF
22 pages
Appendix B - Matrix of All f5 WAF Tester Attacks
No ratings yet
Appendix B - Matrix of All f5 WAF Tester Attacks
4 pages
Getting Started With Palo Alto Firewalls v8
No ratings yet
Getting Started With Palo Alto Firewalls v8
41 pages
DAM Process Document
No ratings yet
DAM Process Document
77 pages
Application ID
No ratings yet
Application ID
52 pages
Palo Alto User Groups
No ratings yet
Palo Alto User Groups
5 pages
Palo Alto Networks Ebook Prisma Container Security101 PDF
No ratings yet
Palo Alto Networks Ebook Prisma Container Security101 PDF
8 pages
Cyber Attack Attribution: in The Context of Cyberwar
No ratings yet
Cyber Attack Attribution: in The Context of Cyberwar
11 pages
SecureSphere Test Drive Lab Manual
No ratings yet
SecureSphere Test Drive Lab Manual
37 pages
Guardium Architecture and Deployment - Master Skills
No ratings yet
Guardium Architecture and Deployment - Master Skills
97 pages
Red Hat System Administration I: Document Version
No ratings yet
Red Hat System Administration I: Document Version
8 pages
Prisma Cloud Container Security - Assessment
No ratings yet
Prisma Cloud Container Security - Assessment
8 pages
EDU-EN-NSXTIS31-LAB-SE
No ratings yet
EDU-EN-NSXTIS31-LAB-SE
110 pages
Ultimate Test Drive: Network Security Management With Panorama
No ratings yet
Ultimate Test Drive: Network Security Management With Panorama
64 pages
3-Red Teaming Active Directory
No ratings yet
3-Red Teaming Active Directory
286 pages
Running TCP Dump
No ratings yet
Running TCP Dump
1 page
Offsec Lab Connectivity Guide
No ratings yet
Offsec Lab Connectivity Guide
7 pages
Ddos
No ratings yet
Ddos
30 pages
Mastering Active Directory
From Everand
Mastering Active Directory
VICTOR P HENDERSON
No ratings yet
Configuration of Microsoft ISA Proxy Server and Linux Squid Proxy Server
From Everand
Configuration of Microsoft ISA Proxy Server and Linux Squid Proxy Server
Dr. Hidaia Mahmood Alassouli
No ratings yet
RTL8309N
No ratings yet
RTL8309N
32 pages
Automatic OMCH Establishment (SRAN9.0 - 01) PDF
No ratings yet
Automatic OMCH Establishment (SRAN9.0 - 01) PDF
131 pages
Lecture 5a - Virtual Private Networks
No ratings yet
Lecture 5a - Virtual Private Networks
33 pages
Altai Access Controller Training - 20141210 PDF
No ratings yet
Altai Access Controller Training - 20141210 PDF
37 pages
Ismaeel Laith Fahmi - ICMP
No ratings yet
Ismaeel Laith Fahmi - ICMP
13 pages
BT Connect IP Connect Global Product Definition Dec15
No ratings yet
BT Connect IP Connect Global Product Definition Dec15
170 pages
B Cisco Nexus 9000 Series NX-OS VXLAN Configuration Guide Chapter 01
No ratings yet
B Cisco Nexus 9000 Series NX-OS VXLAN Configuration Guide Chapter 01
4 pages
Leading Architect and Enabler in Digital Society
No ratings yet
Leading Architect and Enabler in Digital Society
31 pages
Check Point 600 1100 1200R Cli Guide PDF
No ratings yet
Check Point 600 1100 1200R Cli Guide PDF
263 pages
Huawei Optixstar P670E Series Datasheet: Product Overview
No ratings yet
Huawei Optixstar P670E Series Datasheet: Product Overview
3 pages
F312A User Manual
No ratings yet
F312A User Manual
58 pages
FortiGate Essentials Quiz #2
100% (2)
FortiGate Essentials Quiz #2
4 pages
Assignment MSIT Copy Questions
No ratings yet
Assignment MSIT Copy Questions
5 pages
Apc - Cli - Ups Apc
No ratings yet
Apc - Cli - Ups Apc
50 pages
Power Link
No ratings yet
Power Link
6 pages
telnet email and ftp
No ratings yet
telnet email and ftp
15 pages
MDS 900 MHZ - Webinar PDF
No ratings yet
MDS 900 MHZ - Webinar PDF
33 pages
1 IOM - Introduction, 030106
No ratings yet
1 IOM - Introduction, 030106
20 pages
ZTE
100% (1)
ZTE
43 pages
Background: Stage 1 in Detail
No ratings yet
Background: Stage 1 in Detail
7 pages
How To Install GlobalProtect (GP) VPN On Linux
No ratings yet
How To Install GlobalProtect (GP) VPN On Linux
11 pages
Department of Computer Science & Engineering
No ratings yet
Department of Computer Science & Engineering
15 pages
Course Introduction
No ratings yet
Course Introduction
16 pages
Setting Router, DNS, HTTP Server, Proxy, Mail Server, Webmail Server, DHCP Server Pada Debian 4.0
No ratings yet
Setting Router, DNS, HTTP Server, Proxy, Mail Server, Webmail Server, DHCP Server Pada Debian 4.0
7 pages
TL-WR940N TL-WR941ND 300Mbps Wireless N Router: Downloaded From Manuals Search Engine
No ratings yet
TL-WR940N TL-WR941ND 300Mbps Wireless N Router: Downloaded From Manuals Search Engine
112 pages
2.2.4.10 Packet Tracer - Troubleshooting Switch Port Security Instructions
No ratings yet
2.2.4.10 Packet Tracer - Troubleshooting Switch Port Security Instructions
1 page
ILD Call Flow 17042013hfhjfhfj
No ratings yet
ILD Call Flow 17042013hfhjfhfj
15 pages
I-HIPD12PI-FSY
No ratings yet
I-HIPD12PI-FSY
2 pages

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.