Configure an On-Premises Directory

Requires installing the Cloud Identity agent on a Windows server. The agent communicates with the on-prem directory (AD or OpenLDAP) and the Cloud Identity Engine.

Install the Cloud Identity Agent

[CRITICAL] Verify the agent host server time is correct and synced via NTP before installation. Incorrect time can cause sync failures.

Ensure the Windows host meets system requirements and has TLS 1.2/1.3 enabled (install OS update if needed).

[GOTCHA] Do not install the Cloud Identity agent on the same host as the User-ID agent (port conflict). Use dedicated hosts.

[GOTCHA] If installing on the same host as the Terminal Server (TS) agent, change the default listening port on the TS agent.

Installation Steps:

1. Log in to the hub, select Cloud Identity Engine app.
2. Navigate to Directories > Add New Directory .

3. Click Set Up under On-Premises Directory .

4. Click Download Agent .

5. Run the downloaded DaInstall.msi on the chosen Windows server.
6. Follow the installation wizard prompts.
7. Navigate to the installation directory (Default: C:\Program Files (x86)\Palo Alto Networks\Cloud Identity Agent\ ).
8. Double-click CloudIdAgentController.exe to launch the agent configuration tool.

Starting the agent controller also starts the background CIE service on the host.

Next Steps: Configure the agent and authenticate it with CIE.

Configure the Cloud Identity Agent

[GOTCHA] Avoid first-time agent configuration during the daily CRL reload time (9:00-10:00 PM CDT/CEST). If initial sync fails during this window, wait and re-sync.

[PCNSA/PCNSE] The agent needs configuration for both the directory connection and the CIE connection. OpenLDAP requires specific attributes.

The service account needs minimum permissions for LDAP bind requests.

Configuration Steps:

1. Ensure network traffic is allowed (see "Configure Network Traffic" section).
2. [CRITICAL] Install the CA certificate (used to sign the directory server's certificate) in the Local Computer Trusted Root CA store on the agent host if not already present. Required for LDAPS/STARTTLS.
3. Launch the Cloud Identity agent controller ( Start > Palo Alto Networks > Cloud Identity Agent ). [GOTCHA] Do not manually edit agent config files.
4. Under Cloud Identity Configuration , enter the regional agent configuration endpoint URL for your CIE tenant region.


Regional Endpoints Table:

Region	Agent Configuration Endpoint
United States (US)	agent-directory-sync.us.paloaltonetworks.com
European Union (EU)	agent-directory-sync.eu.paloaltonetworks.com
United Kingdom (UK)	agent-directory-sync.uk.paloaltonetworks.com
Singapore (SG)	agent-directory-sync.sg.paloaltonetworks.com
Canada (CA)	agent-directory-sync.ca.apps.paloaltonetworks.com
Japan (JP)	agent-directory-sync.jp.apps.paloaltonetworks.com
Australia (AU)	agent-directory-sync.au.apps.paloaltonetworks.com
Germany (DE)	agent-directory-sync.de.apps.paloaltonetworks.com
United States - Government	agent-directory-sync.gov.apps.paloaltonetworks.com
India (IN)	agent-directory-sync.in.apps.paloaltonetworks.com
Switzerland (CH)	agent-directory-sync.ch.apps.paloaltonetworks.com
Spain (ES)	agent-directory-sync.es.apps.paloaltonetworks.com
Italy (IT)	agent-directory-sync.it.apps.paloaltonetworks.com
France (FR)	agent-directory-sync.fr.apps.paloaltonetworks.com
China (CN)	agent-directory-sync.cn.apps.prismaaccess.cn (Region specific access)
Poland (PL)	agent-directory-sync.pl.apps.paloaltonetworks.com
Qatar (QA)	agent-directory-sync.qa.apps.paloaltonetworks.com
Taiwan (TW)	agent-directory-sync.tw.apps.paloaltonetworks.com
Israel (IL)	agent-directory-sync.il.apps.paloaltonetworks.com
Indonesia (ID)	agent-directory-sync.id.apps.paloaltonetworks.com
South Korea (KR)	agent-directory-sync.kr.apps.paloaltonetworks.com
Saudi Arabia (SA)	agent-directory-sync.sa.apps.paloaltonetworks.com

5. (Optional) If using a proxy (requires agent v1.7.1+), enter the Proxy IP Server and Port (e.g., 192.168.1.100:8080 ).
6. Under LDAP Configuration :

1. Enter the service account Bind DN (e.g., CN=admin,OU=IT,DC=domain1,DC=example,DC=com ). (Use dsquery user -name <username> on AD server if needed).
2. Enter the Bind Password (stored encrypted in Windows credential store).
3. Select Protocol : LDAP (port 389, unencrypted), LDAPS (port 636, SSL, default, requires CA cert), or LDAP with STARTTLS (port 389, TLS, requires CA cert).
4. Verify Bind Timeout (default 30s).
5. Verify Search Timeout (default 15s).
7. Click Add to configure your directory server(s).

1. (Optional) Enter a directory Name .
2. Enter the FQDN for the Domain (up to 20 per agent).
3. Enter the IP or FQDN for the Network Address .
4. (Optional) Enter the Port . [GOTCHA] Do not use Global Catalog ports (3268/3269). Defaults: 636 (LDAPS), 389 (LDAP/STARTTLS).
5. ( Required for OpenLDAP ) Enter the Base DN (e.g., DC=example, DC=com ).

6. Select directory Type : Active Directory or OpenLDAP. (OpenLDAP requires group objectClass: groupOfUniqueNames)
7. (Optional but recommended) Click Test Connectivity to Directory .
8. Click OK . [GOTCHA] Adding a directory triggers a full sync attempt for *all* domains on the agent. Ensure all are active.
8. Click Commit to apply changes and restart the agent.
9. Verify connection in the CIE app ( Directories tab) by checking domain status, sync status, last sync time, and object counts.
10. (Recommended) Configure additional agents for the same domain for High Availability (HA). [PCNSA/PCNSE] HA requires identical configuration on multiple agents pointing to the same domain/tenant. CIE communicates with only one agent at a time.
11. (Optional) Automate bind password rotation using the CLI: CloudIdAgentCLI.exe ldap_bind_password:<password> . Escape special characters as needed per shell.

Next Steps: Authenticate the agent, configure logging, or set up user authentication.

Authenticate the Agent and the Cloud Identity Engine

[PCNSA/PCNSE] Agent and CIE use mutual certificate authentication over TLS. A valid certificate is required for the agent to connect.

Generate a certificate in the CIE app and import it to the agent host's Local Computer Personal certificate store.

Certificates expire every three months. Agent v1.5.0+ auto-renews before expiry.

[GOTCHA] Each agent requires a unique certificate for a specific tenant. Do not share certificates between agents. Limit of 5 unused and 100 total certificates per tenant.

Certificate Generation Steps (within CIE Agent Setup):

1. Enter a unique Certificate Name (5-128 alphanumeric chars).
2. Create and re-enter a secure Password (12-25 chars). This password is needed when importing the cert onto the agent host.
3. Click Download Certificate .

4. Import the downloaded certificate into the Local Computer > Personal > Certificates store on the agent host server.

After successful authentication, the agent sends directory attributes to CIE, which shares them with associated Palo Alto Networks apps.

Next Steps: Manage the CIE app or the agent.

Configure a Cloud-Based Directory

Configure cloud directories like Azure AD, Okta, or Google Directory to communicate with CIE. No agent installation is required for cloud directories.

SCIM provisioning can be used with Azure AD to customize attribute collection, but standard integration methods (Auth Code Flow, Client Credential Flow) are also available.

Configure Azure Active Directory

Allows CIE to collect Azure AD attributes for user identification and policy enforcement.

[PCNSA/PCNSE] Requires specific Azure AD roles: Application Administrator or Cloud Application Administrator. Global Administrator role is needed *only* for the initial setup using the CIE Enterprise App method.

Alternatives: Client Credential Flow (uses service account, recommended for security), SCIM Connector (custom attribute selection, syncs every ~40 min), or Group Filtering (syncs every ~5 min).

Default Azure AD Sync Schedule: Users/Groups/Devices sync on changes. Apps sync up to every 3 hours. Role Assignments sync up to every 24 hours.

Configure Azure Using the CIE Enterprise App (Recommended)

1. In Azure Portal: Go to Azure AD > Overview. Copy the Directory (tenant) ID .

2. In CIE App: Go to Directories > Add New Directory > Select Azure > Click Set Up .

3. (Optional) Select additional info to collect:
   • Collect user risk information from Azure AD Identity Protection: For dynamic user groups based on risk. Requires IdentityRiskyUser.Read.All , IdentityRiskEvent.Read.All permissions.
   
   • Collect Roles and Administrators: Retrieves role assignments. Requires Directory.Read.All or RoleManagement.Read.Directory . (Enabled by default if associated with Cortex XDR).
   
   • Collect enterprise applications: Displays app data in CIE. Requires Application.Read.All . Deselect if not needed to reduce sync time.
   
   [GOTCHA] Enabling options may require reconnecting the directory to grant new permissions. Do not revoke required permissions in Azure after setup.
4. Configure Azure info in CIE:
   1. Paste the copied Directory ID .
   
   2. Click Generate URL , copy the CIE Enterprise App onboarding URL , and open it in a new tab.
   
   3. Sign in to Azure with a Global Administrator account.
   
   4. Click Accept to grant required permissions (Device.Read.All, Group.Read.All, User.Read.All, User.Read, plus any selected optional permissions).
   
   5. In CIE, click Test Connection .
   
   6. (Optional) Enter a custom Directory Name for display within CIE. [GOTCHA] If collecting from both on-prem AD and Azure AD for the *same domain* in the *same CIE tenant*, customize the Azure AD name (e.g., add `.aad`). Ensure this name matches in associated apps like Cortex XDR.
   
5. (Optional) Configure Group Filtering (alternative to SCIM for faster syncs):
   1. Upload CSV: Upload a CSV file with group Names or Unique Identifiers. Choose Update or Replace mode.
   
   2. Manual Filter: Select Filter Azure Active Directory Groups . Choose attribute (Name/Unique ID), operator (begins with/is equal to), enter value. Add more filters with OR/AND logic.
   
6. Click Submit . Verify directory information on the Directories page.

Configure Azure Using the Client Credential Flow

Uses a service account for Azure AD connection, enhancing security. Recommended over the Enterprise App flow if Global Admin permissions are a concern long-term.

[GOTCHA] If this is the first CIE tenant setup, the CIE app won't be in the Azure gallery; you must create a custom app registration.

1. Grant required permissions in Azure Portal:
   1. Go to Azure AD > App Registrations > New registration .
   
   2. Enter a Name, click Register .
   
   3. Go to API permissions > Add a permission > Microsoft Graph > Application permissions.
   
   4. Select minimum required permissions: Device.Read.All , GroupMember.Read.All , User.Read.All . (Alternatively, simpler but broader: Directory.Read.All , Organization.Read.All ). Add optional permissions if needed (User Risk, Roles, Enterprise Apps). Click Add permissions .
   5. Click Grant admin consent for [DirectoryName] and confirm.
   
2. Collect configuration info from Azure Portal:
   1. Go to the app registration > Certificates & secrets > New client secret .
   
   2. Enter Description, choose Expiry, click Add . [GOTCHA] Note the expiry date. You must renew the secret before it expires and update CIE.
   
   3. [CRITICAL] Copy the secret Value immediately and store securely. It's shown only once.
   
   4. Go to Overview > Copy Application (client) ID and Directory (tenant) ID .
   
3. Add/Configure Azure AD directory in CIE:
   1. Go to Directories > Add New Directory > Select Azure > Click Set Up . (Or select Actions > Reconnect for an existing directory).
   
   2. Select Connection Flow: Client Credential Flow .
   3. (Optional) Select additional info to collect (User Risk, Roles, Enterprise Apps). Grant corresponding permissions in Azure if selected.
   
   4. Enter the IDs copied from Azure:
      • Azure Directory (tenant) ID -> CIE Directory ID
      • Azure Application (client) ID -> CIE Client ID
   
   5. Enter the secret Value copied from Azure as the CIE Client Secret .
   6. [CRITICAL] Click Test Connection . It must succeed.
   
   7. (Optional) Customize Directory Name .
   
   8. (Optional) Configure Group Filtering (see steps in Enterprise App section).
   
   9. Click Submit .

Reconnect or Edit Azure Active Directory

Use this to switch connection methods, enable/disable optional data collection, or update credentials.

1. In CIE: Go to Directories . Find the Azure directory.
2. Select Actions > Reconnect (if connection was previously active) or Actions > Edit (if never successfully connected).

3. Select the desired Connection Flow ( CIE Enterprise App or Client Credential Flow ). Palo Alto Networks recommends CIE Enterprise App unless migrating away from it.

4. Adjust optional data collection checkboxes (User Risk, Roles, Apps) as needed. Grant/revoke permissions in Azure accordingly if changing these.

5. Follow the sign-in/credential entry steps corresponding to the chosen flow (similar to initial setup).
   • Enterprise App: Click Sign in with Azure (or Restore ), log in with Global Admin, accept permissions.
   
   • Client Credential Flow: Enter Client ID and Client Secret.
6. Click Test Connection .

7. (Optional) Update Directory Name .

8. (Optional) Update Group Filters.

9. Click Submit .

Revoke Cloud Identity Engine Permissions for Azure Active Directory

1. [CRITICAL] First, delete the directory from your CIE tenant ( Directories > Actions > Remove ).
2. In Azure Portal: Go to Azure AD > Enterprise applications.

3. Select All applications , find and select the Palo Alto Networks Cloud Identity Engine app (or custom name).
4. Select Properties .

5. Click Delete and confirm.

Configure Okta Directory

[PCNSA/PCNSE] CIE integrates with Okta Directory to collect user/group attributes for policy and visibility.

[GOTCHA] You *must* create an OpenID Connect (OIDC) app integration in Okta for CIE Directory Sync, even if you use Okta for SAML authentication elsewhere. Using a SAML app integration will cause sync failures after the initial sync.

Two connection methods:

• Auth Code Flow (Default): Requires Okta admin login within CIE to make configuration changes.
• Client Credential Flow: Uses a service account/API token. More secure, requires initial setup of permissions in Okta but avoids subsequent logins in CIE for config changes.

Sync Schedule: Users/Groups/Devices sync on changes. Apps sync up to every 3 hours.

Deploy Auth Code Flow for Okta Directory

1. Activate CIE. Get the Sign-in redirect URI: Copy your CIE tenant URL (e.g., https://directory-sync.us.paloaltonetworks.com/directory?instance=... ) and replace everything after the domain with /authorize (e.g., https://directory-sync.us.paloaltonetworks.com/authorize ).
2. In Okta Admin Dashboard:
   1. Create an Admin user specifically for the CIE integration.
   2. Create a new App Integration: Select OIDC - OpenID Connect and Web Application .
   
   3. Paste the CIE Redirect URI (from step 1) into Sign-in redirect URIs .
   
   4. Assign the app *only* to the dedicated admin user created earlier. Save.
3. Configure the Okta App Integration:
   1. Edit the app > General tab. Enable Grant type: Refresh Token .
   
   2. Select Rotate token after every use . Set Grace period to 60 seconds. Save.
   
4. Obtain Okta App Credentials:
   1. In the app's General tab, copy the Client ID and Client secret . Store securely.
   
   2. Find your Okta Domain (usually under your username dropdown in the top right). Copy and store securely.
   
5. Assign API Scopes in Okta:
   1. Go to Security > API > Authorization Servers tab. Select the 'default' server.
   2. Go to Scopes tab > Add Scope . Grant consent for required scopes: okta.groups.read , okta.logs.read , okta.users.read , okta.users.read.self .
   3. If collecting Enterprise App data, also grant okta.apps.read .
   
6. In CIE App: Go to Directories > Add New Directory > Select Okta > Click Set Up .

7. Select Connection Flow: Auth Code Flow .

8. (Optional) Select Collect enterprise applications if needed (requires okta.apps.read scope).

9. Enter Okta info:
   1. Paste Okta Domain (step 4b).
   2. Paste Client ID and Client Secret (step 4a).
   
10. Click Sign in with Okta . Log in using the dedicated Okta admin user created in step 2a.

11. Click Test Connection .
12. (Optional) Customize Directory Name .
13. Click Submit .

[GOTCHA] The default Okta group "Everyone" is not supported by CIE due to performance recommendations from Okta.

Deploy Client Credential Flow for Okta

Uses an API Service Integration in Okta for a more secure, service-account-based connection.

[GOTCHA] You MUST obtain a new Client ID and Secret specifically for the API Service Integration; credentials from the Auth Code Flow method are incompatible.

1. In Okta Admin Dashboard: Go to Applications > API Service Integrations .

2. Click Add Integration . Search for and select either:
   • Palo Alto Networks Cloud Identity Engine (if NOT collecting app data)
   • Palo Alto Networks Cloud Identity Engine (Application-enabled) (if collecting app data)
   
3. Click Install & Authorize . (Required API scopes are configured automatically).

4. [CRITICAL] Click Copy to clipboard for the Client Secret and store securely. It's shown only once. Click Done .

5. Go to the API integration's General tab. Copy the Okta Domain (remove `https://`) and Client ID . Store securely.

6. In CIE App: Go to Directories > Add New Directory > Select Okta > Click Set Up .
7. Select Connection Flow: Client Credential Flow .

8. (Optional) Select Collect enterprise applications (ensure you chose the app-enabled API integration in Okta).

9. Enter Okta info:
   • Okta Domain -> CIE Domain
   • Okta Client ID -> CIE Client ID
   • Okta Client Secret (copied in step 4) -> CIE Client Secret
   
10. Click Test Connection .
11. (Optional) Customize Directory Name .
12. Click Submit .

Reconnect Okta Directory

1. In CIE: Go to Directories . Find the Okta directory > Actions > Reconnect .

2. Adjust Connection Flow, Collect enterprise applications setting if needed.

3. Provide credentials/sign-in based on the chosen flow.
4. Click Test Connection .
5. (Optional) Update Directory Name .
6. Click Submit .

Remove Okta Directory

1. In Okta Admin Dashboard: Go to Applications > Applications. Select the CIE app integration.

2. Go to the app's General tab > App Settings > Click Deactivate , then confirm. After deactivation, click Delete and confirm. (Or for API Service Integration, find it under Applications > API Service Integrations and delete).

3. In CIE App: Go to Directories . Find the Okta directory > Actions > Remove . Confirm deletion.

Configure Google Directory

Allows CIE to access Google Directory information for user identification and policy.

1. Activate CIE if not done.
2. In Google Admin console: Configure Admin Roles with necessary privileges (OU Read, Users Read, Groups, Mobile Device Management, Chrome Management Read, Domain Settings, various Admin API Read/Write permissions).

3. In Google Admin console: Go to Security > API controls > Manage Third-Party App Access.

4. Click Configure new app > OAuth App Name Or Client ID .

5. Search for Palo Alto Networks Cloud Identity Engine Directory Sync .

6. Select the app, ensure OAuth Client ID option is selected, click Select .

7. Set App access to Trusted: Can access all Google services . Click Configure .

8. In Google Admin console: Go to Account > Account Settings. Copy the Customer ID .

9. In CIE App: Go to Directories > Add New Directory > Select Google > Click Set Up .

10. Paste the Customer ID .

11. Click Sign in with Google and authenticate with the Google Admin account associated with the Customer ID. Grant permissions if prompted.

12. Click Test Connection .
13. (Optional) Customize Directory Name .
14. Click Submit .

Reconnect Google Directory

1. In CIE: Go to Directories . Find the Google directory > Actions > Reconnect .

2. Click Log in to Google and re-authenticate.
3. Click Test Connection .
4. (Optional) Update Directory Name .
5. Click Submit .

Remove Google Directory

1. In Google Admin console: Go to Security > API Controls > App Access Control.
2. Select the CIE app. Click Change access .
3. Select Blocked: Can’t access any Google service . Click Change .

4. In CIE App: Go to Directories . Find the Google directory > Actions > Remove . Confirm deletion.

Configure SCIM Connector for the Cloud Identity Engine

[PCNSA/PCNSE] SCIM (System for Cross-Domain Identity Management) allows customized attribute collection from directories like Azure AD, PingFederate, and Okta. You define which attributes are provisioned from the IdP side.

[GOTCHA] The SCIM gallery app does *not* support the `userType` attribute.

[CRITICAL] Configuration requires steps in *both* CIE and the SCIM client portal (Azure, PingFederate, Okta).

1. Complete predeployment steps in your SCIM client portal (Azure, PingFederate, or Okta - see specific subsections below).
2. In CIE App: Go to Directories > Add New Directory > Select SCIM > Click Set Up .

3. Select the SCIM Client (Azure AD, PingFederate, Okta).

4. Obtain necessary IDs from your SCIM client portal (details vary by client).
   • Azure AD: Tenant ID -> CIE Directory ID; Primary Domain -> CIE Directory Name.
   • PingFederate: System ID (remove `LDAP-` prefix) -> CIE Directory ID; User domain part -> CIE Directory Name.
   • Okta: Directory Name -> CIE Directory ID; Okta Domain -> CIE Directory Name.
5. Enter the Directory ID and Directory Name in CIE.

6. Copy the Base URL from CIE and save securely.

7. Click Generate Bearer Token in CIE. [CRITICAL] Copy the generated token immediately and store securely. You'll need it for the SCIM client config.

8. Click Submit in CIE to save the initial config. [GOTCHA] You MUST submit before configuring the SCIM client.
9. Acknowledge the post-configuration requirements prompt.

10. Complete post-configuration steps in your SCIM client portal using the Base URL and Bearer Token (see specific subsections).
11. [CRITICAL] After configuring the SCIM client, return to CIE > Directories and perform a Full Sync for the SCIM directory to complete the setup.

Configure Azure Active Directory for SCIM Connector

(Requires steps in Azure Portal alongside CIE steps above)

1. Predeployment (Azure Portal):
   1. Go to Azure AD > Overview. Copy Tenant ID and Primary domain .
   
   2. Go to Enterprise applications > New application > Search gallery for Palo Alto Networks SCIM Connector .
   
   3. Select the app and click Create .
   [GOTCHA] Azure SCIM requires unique `displayName` for groups. Duplicate names cause sync issues. Modify display names in Azure AD if needed for policy use.
2. Post-configuration (Azure Portal):
   1. Select the created SCIM Connector app > Provisioning > Get Started.
   
   2. Set Provisioning Mode to Automatic .
   
   3. Under Admin Credentials:
      • Paste the CIE Base URL into Tenant URL .
      • Paste the CIE Bearer Token into Secret Token .
      
   4. Click Test Connection (should succeed if CIE part was submitted). Save.
   
   5. Go to Mappings. Edit attribute mappings for Groups and Users if needed (delete unused, add custom). Recommended: Provision only necessary groups. Add parent groups *then* child groups if syncing subgroups.
   
   6. (Optional) Under Settings, change Scope from "Sync only assigned users and groups" to "Sync all users and groups". Save.
   
   7. Go back to Provisioning overview > Click Start provisioning .
   
   8. Wait for the initial cycle to complete. View details to verify Users/Groups counts.
   
   9. [CRITICAL] Return to CIE > Directories. Verify SCIM Change Timestamp populates. Perform a Full Sync .

Configure PingFederate for SCIM Connector

(Requires steps in PingFederate Portal alongside CIE steps)

1. Predeployment (PingFederate):
   1. Set up Data Store (LDAP type). Test connection. Copy System ID (remove `LDAP-` prefix) for CIE Directory ID. Copy User domain part for CIE Directory Name.
   
   2. Create SP Connection (Outbound provisioning, SCIM Connector type).
   
   3. Enter Connection ID and Name. (Optional) Increase Max Threads under Channel Configuration for faster sync (recommended: 5).
   
2. Post-configuration (PingFederate):
   1. Go to Outbound Provisioning > Configure Provisioning > Target tab. Paste CIE Base URL .
   
   2. Go to Configure Channels > Manage Channels. Set Authentication Method to OAuth 2 Bearer Token . Paste CIE Bearer Token into Access Token.
   
   3. Set Group Name Source to Common Name . Select Use patch for group updates .
   
   4. Configure Channels: Create channel, select Active Data Store, enter Base DN. Enter Group DN or Filter. Select Nested Search if needed. [GOTCHA] SCIM Connector doesn't retain nested group hierarchy from PingFederate automatically. Either put the parent group in a container and use that DN, or use a filter like `(objectClass=user),(objectClass=group)` to get all members.
   5. Edit Attribute Mapping: Change `userName*` to `userPrincipalName`.
   
   6. Save connection.
   7. Trigger sync in PingFederate (commit a change or use provmgr.sh --reset-all -c [channel_number] ).
   8. [CRITICAL] Return to CIE > Directories. Verify SCIM Change Timestamp populates. Perform a Full Sync .

Configure Okta Directory for SCIM Connector

(Requires steps in Okta Dashboard alongside CIE steps)

Capabilities: Create/Update/Deactivate Users, Import Users/Groups, Sync Password, Group Push.

1. Predeployment (Okta):
   1. Browse App Catalog, search for Palo Alto Networks SCIM .
   
   2. Select the app and Add Integration .
   
   3. (Optional) Edit App Label. Click Done .
   
   4. Copy your Okta domain name.
2. Post-configuration (Okta):
   1. Select the SCIM app > Provisioning tab > Configure API Integration .
   
   2. Enable Enable API integration .
   
   3. Paste CIE Base URL .
   
   4. Paste CIE Bearer Token into API Token .
   
   5. Click Test API Credentials . Save.
   
   6. Under Provisioning to App > Edit Settings. Enable desired actions (Create Users, Update User Attributes, Deactivate Users). Save.
   
   7. Go to Push Groups tab. Find and add groups to push to CIE. Save.
   
   8. [CRITICAL] Return to CIE > Directories. Verify SCIM Change Timestamp populates. Perform a Full Sync .
   

Configure a CIE Directory

Allows creating a local directory directly within the Cloud Identity Engine, useful for small user sets or specific use cases where an external directory isn't available or desired.

1. In CIE: Go to Directories > Add New Directory > Select CIE Directory > Click Set Up .

2. Enter a unique Directory Name . Click Submit . (Wait for creation).

3. Go back to Directories page. Find the new CIE Directory > Actions > Add/Remove Users .

4. Click Add User .

5. Enter First Name, Last Name, Email. Enter or Generate a password. Click Confirm checkmark.

6. Repeat to add more users (up to 200 supported).
7. Click Submit when finished adding users for this session.
8. Manage users using Edit or Remove icons in the Add/Remove Users screen. Refresh directory or remove the entire CIE directory via the main Directories page actions.

Authenticate Users with the Cloud Identity Engine

[PCNSA/PCNSE] CIE can authenticate users using SAML 2.0 IdPs, Client Certificates, or both. This requires configuring Authentication Types and an Authentication Profile within CIE, and potentially configuring Authentication Portal and Authentication Policy on the firewall/Panorama.

Follow these steps:

1. Configure Authentication Type(s):
   • Configure a SAML 2.0 Authentication Type (Azure, Okta, Ping, Google, Other)
   • Configure a Client Certificate
   • Configure an OIDC Authentication Type
2. Set Up an Authentication Profile (Defines which auth types apply to which users/groups).
3. Configure Cloud Identity Engine Authentication on the Firewall or Panorama .

Configure a SAML 2.0 Authentication Type

Steps vary by IdP. Select your IdP:

• Azure AD (Covered in Cloud Directories section for IdP config)
• Okta (Covered in Cloud Directories section for IdP config)
• PingOne
• PingFederate
• Google (Covered in Cloud Directories section for IdP config)
• Other SAML 2.0 Compliant

Configure PingOne as an IdP

1. Enable CIE app in PingOne:
   1. Activate CIE app.
   2. In CIE > Authentication > SP Metadata > Download SP Metadata .
   
   3. In PingOne > Applications > My Applications > Add Application > New SAML Application .
   
   4. Enter App Name, Description, Category. Continue.
   5. Select "I have the SAML configuration". Ensure Protocol Version is SAML v 2.0.
   
   6. Upload Metadata using the file downloaded from CIE.
   
   7. (Alternatively, manually enter Entity ID and ACS URL from CIE SP Metadata).
   
   8. Select Signing Algorithm (RSA_SHA384 or RSA_SHA256).
   
   9. (Optional) Enable Force Re-authentication.
   
   10. (Optional) Enable Force MFA.
   11. Continue. Map attributes (ensure required user identifier is mapped).
   
   12. Add Groups that will use this app. Continue & Finish.
   
2. Add PingOne as Auth Type in CIE:
   1. Go to Authentication Types > Add > SAML 2.0.
   2. Enter Profile Name. Select Vendor: PingOne .
   3. Add Metadata (Manual, Upload, or Get URL method - using metadata downloaded/URL from PingOne).
   
   4. Set Max Clock Skew. Enable Force Authentication if set in PingOne. Enable MFA if set in PingOne.
   
   5. Test SAML Setup .
   
   6. Select SAML Attributes (Username, optionally Group, etc.).
   7. Submit .

Configure PingFederate as an IdP

1. Prepare Metadata in PingFederate:
   1. Activate CIE app. Download SP Metadata from CIE.
   2. In PingFederate > System > SP Affiliations > Protocol Metadata > Metadata Export.
   3. Select "I am the Identity Provider (IdP)".
   
   4. Select "Select information...manually".
   
   5. Select Signing key, Protocol (SAML 2.0), Signing Certificate (include public key), Signing Algorithm, Encryption Certificate.
   
   6. Review and Export metadata file.
   
2. Add PingFederate as Auth Type in CIE:
   1. Go to Authentication Types > Add > SAML 2.0.
   2. Enter Profile Name. Select Vendor: PingFederate .
   3. Add Metadata (Manual entry or Upload PingFederate metadata file).
      • Manual: Get IdP ID (SAML 2.0 Entity ID), IdP SSO URL (Base URL), IdP Cert from PingFederate.
   
   4. Set HTTP Binding, Max Clock Skew. Enable Force Authentication if needed.
   
   5. Test SAML Setup .
   
   6. Select SAML Attributes (Username, optionally Group, etc.).
   7. Submit .
   

Configure Other SAML 2.0-Compliant IdP

1. Obtain from your IdP: Identity Provider ID, Identity Provider Certificate, Identity Provider SSO URL.
2. In CIE: Download SP Metadata.
3. Add Auth Type in CIE:
   1. Go to Authentication Types > Add > SAML 2.0.
   2. Enter Profile Name. Select Vendor: Others .
   3. Add Metadata (Manual entry, Upload IdP metadata, or Get URL if available).
   4. Set HTTP Binding, Max Clock Skew. Enable Force Authentication if needed.
   5. Test SAML Setup .
   6. Select SAML Attributes (Username, optionally Group, etc.).
   7. Submit .
   

Configure a Client Certificate

Use a client certificate issued by a trusted CA chain for user authentication.

1. Configure CA Chain in CIE:
   1. Go to Authentication > CA Chains > Add CA Chain .
   
   2. Enter CA Name. Upload CA certificate(s) (root + intermediates, .crt or .pem).
   
   3. (Optional but Recommended) Enter CRL Endpoint URL.
   4. Submit.
2. Configure Client Certificate Auth Type in CIE:
   1. Go to Authentication Types > Add > Client Certificate > Set Up.
   
   2. Enter Authentication Type Name.
   3. Select Username Field (Subject or Subject Alt Name).
   
   4. Select Username Attribute (CN if Subject; Email or UPN if Subject Alt Name).
   5. Click Add CA Chain . Select the chain(s) configured previously. Add.
   
   6. Submit .

Configure an OIDC Authentication Type

OpenID Connect (OIDC) provides SSO flexibility. [GOTCHA] Supports Prisma Access Browser; *does not* support GlobalProtect or Authentication Portal.

Username attribute is determined in order: email, preferred_username, username, sub.

Select your OIDC provider:

• Azure AD
• Okta
• PingOne
• Google

Configure OIDC for Azure

1. In CIE: Go to Authentication Types > Add > OIDC > Set Up.

2. Enter Auth Type Name. Copy the Callback URL/Redirect URL . Select JWT Encryption Algorithm.

3. In Azure Portal: Go to Azure AD > App registrations > New registration.

4. Enter Name. Select "Accounts in this organizational directory only". Enter CIE Callback URL as Redirect URI. Register.

5. Assign Users/Groups to the app registration.

6. Copy App (client) ID. Go to Certificates & secrets > New client secret. Create secret, [CRITICAL] copy the secret Value immediately.

7. (Optional) Copy OIDC metadata document URL from Endpoints.

8. In CIE: Enter Client Name (Azure app name), Client ID, Client Secret. Enter Issuer URL: https://login.microsoftonline.com/organizations/2.0/ . (Optional) Enter Endpoint URL.

9. Click Test Connection . Submit.

Set Up an Authentication Profile

[PCNSA/PCNSE] Defines which authentication types (SAML, Client Cert, OIDC) apply to which users/groups for authentication requests forwarded by the firewall/Panorama.

Using multiple authentication types requires a configured directory in CIE. Single Client Cert also usually requires a directory. Single SAML does not strictly require a directory config within CIE itself.

1. Go to Authentication > Authentication Profiles > Add Authentication Profile .

2. Ensure required Authentication Types (SAML/Cert/OIDC) are already configured.
3. Enter a unique Profile Name .
4. Select Authentication Mode : Single or Multiple.

5. If Single: Select the specific Authentication Type.

6. If Multiple OR (Single + Client Cert): Select Directory Sync Username Attribute and Group Attribute . [GOTCHA] For Client Cert auth, the Directory Sync Username Attribute *must* match the Username Attribute selected in the Client Cert Auth Type config.

7. If Multiple: Define Authentication mapping order . Drag/drop configured Auth Types to set priority. Select the Default authentication type for users not in explicitly mapped groups.

8. Click Choose directories and groups . Select "All Directories" or a specific one.

9. Select group(s) from the list.

10. Click Select an authentication type and choose the type to apply to the selected group(s). Click Assign .

11. Review assignments. Click Submit .

Configure Cloud Identity Engine Authentication on the Firewall or Panorama

[PCNSA/PCNSE] Links the firewall/Panorama to CIE for authentication decisions based on CIE Auth Profiles. Requires PAN-OS configuration.

Prerequisites: CIE configured as Mapping Source, Auth Types configured in CIE, Auth Profile configured in CIE.

Steps marked "(Required for authentication policy rule only)" are needed specifically for Captive Portal/Authentication Policy redirection, not necessarily for admin auth or GlobalProtect/Prisma Access auth using CIE.

1. Configure Authentication Profile on Firewall/Panorama:
   1. Go to Device > Authentication Profile > Add.
   
   2. Enter Name. Type: Cloud Authentication Service .
   3. Select CIE tenant Region and Instance .
   4. Select the CIE Authentication Profile created earlier.
   5. Set Max Clock Skew. Enable Force MFA if applicable. OK.
2. (Required for authentication policy rule only) Configure Authentication Portal:
   1. Go to Device > User Identification > Authentication Portal Settings.
   2. Edit. Select the CIE Authentication Profile created above.
   3. Mode: Redirect . OK.
3. (Required for authentication policy rule only) Create Authentication Enforcement Object:
   1. Go to Objects > Authentication > Add.
   2. Enter Name. Authentication Method: web-form .
   3. Select the CIE Authentication Profile. (Optional) Enter Message. OK.
4. Create Custom URL Category for CIE/IdP Traffic:
   1. Go to Objects > Custom Objects > URL Category > Add.
   2. Enter Name. Add sites: *.apps.paloaltonetworks.com (or specific regional URLs from table below) AND necessary IdP URLs (e.g., *.okta.com , *.microsoftonline.com ).

   Regional CIE Auth URLs:

   Region	Cloud Identity Engine Auth URL(s)
   United States	cloud-auth.us.apps.paloaltonetworks.com cloud-auth-service.us.apps.paloaltonetworks.com
   Europe	cloud-auth.nl.apps.paloaltonetworks.com cloud-auth-service.nl.apps.paloaltonetworks.com
   United Kingdom	cloud-auth.uk.apps.paloaltonetworks.com cloud-auth-service.uk.apps.paloaltonetworks.com
   Singapore	cloud-auth.sg.apps.paloaltonetworks.com cloud-auth-service.sg.apps.paloaltonetworks.com
   Canada	cloud-auth.ca.apps.paloaltonetworks.com cloud-auth-service.ca.apps.paloaltonetworks.com
   Japan	cloud-auth.jp.apps.paloaltonetworks.com cloud-auth-service.jp.apps.paloaltonetworks.com
   Australia	cloud-auth.au.apps.paloaltonetworks.com cloud-auth-service.au.apps.paloaltonetworks.com
   Germany	cloud-auth.de.apps.paloaltonetworks.com cloud-auth-service.de.apps.paloaltonetworks.com
   United States - Government	cloud-auth-service.gov.apps.paloaltonetworks.com cloud-auth.gov.apps.paloaltonetworks.com
   India	cloud-auth-service.in.apps.paloaltonetworks.com cloud-auth.in.apps.paloaltonetworks.com
   Switzerland	cloud-auth-service.ch.apps.paloaltonetworks.com cloud-auth.ch.apps.paloaltonetworks.com
   Spain	cloud-auth-service.es.apps.paloaltonetworks.com cloud-auth.es.apps.paloaltonetworks.com
   Italy	cloud-auth-service.it.apps.paloaltonetworks.com cloud-auth.it.apps.paloaltonetworks.com
   France	cloud-auth-service.fr.apps.paloaltonetworks.com cloud-auth.fr.apps.paloaltonetworks.com
   China	cloud-auth-service.cn.apps.prismaaccess.cn cloud-auth.cn.apps.prismaaccess.cn
   Poland	cloud-auth-service.pl.apps.paloaltonetworks.com cloud-auth.pl.apps.paloaltonetworks.com
   Qatar	cloud-auth-service.qa.apps.paloaltonetworks.com cloud-auth.qa.apps.paloaltonetworks.com
   Taiwan	cloud-auth-service.tw.apps.paloaltonetworks.com cloud-auth.tw.apps.paloaltonetworks.com
   Israel	cloud-auth-service.il.apps.paloaltonetworks.com cloud-auth.il.apps.paloaltonetworks.com
   Indonesia	cloud-auth-service.id.apps.paloaltonetworks.com cloud-auth.id.apps.paloaltonetworks.com
   South Korea	cloud-auth-service.kr.apps.paloaltonetworks.com cloud-auth.kr.apps.paloaltonetworks.com
   Saudi Arabia	cloud-auth-service.sa.apps.paloaltonetworks.com cloud-auth.sa.apps.paloaltonetworks.com

5. Create Security Policy Rule to allow this traffic (Source Zone: Trust, Dest Zone: Untrust, Application: ssl, web-browsing, Service: application-default, Category: select the custom category created above, Action: Allow).
6. Configure Interface Management Profile on the trust zone interface to enable Response Pages.
7. (Required for authentication policy rule only) Create Authentication Policy Rule: Source Zone: Trust, Dest Zone: Untrust, Destination Address: Any (or specific IPs needing auth), Service: HTTP/HTTPS, Action: Authentication Enforcement (select object created earlier).
8. (Panorama Only) Assign Cloud Identity Engine instance to Device Group(s): Panorama > Device Groups > [Select Group] > Cloud Identity Engine tab > Add > Select CIE Instance > OK.
9. Commit changes on Firewall/Panorama.
10. Test: Browse from a client behind the firewall to a resource requiring authentication. Verify redirect to IdP/Cert prompt and successful login. On firewall CLI, run show user ip-user-mapping all to verify mapping.

Manage the Cloud Identity Engine App

Tasks include managing tenants, attributes, viewing data, and configuring advanced features like User Context, Dynamic User Groups, Device-ID sharing, and IP-Tag collection.

Cloud Identity Engine Tenants

A tenant is created automatically upon CIE activation. Each tenant collects attributes for multiple directories/domains within a *single region*. Create multiple tenants for multi-region needs or data segmentation.

Create Cloud Identity Engine Tenants

1. Log in to the hub > Tenant Management .

2. Click Add Tenant .

3. Enter Name, select Business Vertical.

4. (Optional) Enter custom support contact info.
5. Click Add Tenant .

View Cloud Identity Engine Tenants

1. Log in to the hub > Tenant Management .

2. Expand tenant list if collapsed.

3. Select the tenant to view details.

Synchronize Cloud Identity Engine Tenants

[PCNSA/PCNSE] CIE synchronizes directory attributes automatically. Default sync methods:

• Incremental Sync: Every 5 minutes for changes since last sync (Not supported for Google Directory).
• Full Sync: Weekly for all configured directories (Not supported for Google Directory).
• Interval Sync (Google Directory Only): Configurable interval (6, 12, or 24 hours).

Manual sync options are available for immediate updates or troubleshooting.

Synchronize All Attributes (Full Sync)

Recommended for troubleshooting or connectivity loss. [GOTCHA] For on-prem directories, all agents/domains in the tenant must be active.

1. Log in to CIE app > Select tenant > Directories .
2. Click Actions > Full Sync for the desired directory type.

3. Wait for Sync Status to show Success . [GOTCHA] Wait at least 90 seconds between manual full sync attempts.

Synchronize Directory Changes (Incremental Sync)

Faster than full sync. Syncs changes since last successful sync. [GOTCHA] Not available for Google Directory. Status may briefly show Success while sync is ongoing.

1. Make changes in your directory.
2. In CIE app > Select tenant > Directories .
3. Click Actions > Sync Changes for the directory type.

Set Synchronization Interval (Google Directory Only)

1. Log in to CIE app > Select tenant > Directories .
2. Click the current interval next to Sync Every: for the Google Directory.
3. Select desired interval (6, 12, or 24 Hours).

Synchronize CDUG Changes (Google Directory Only)

Manually syncs Cloud Dynamic User Group membership changes related to Google Directory.

1. Log in to CIE app > Select tenant > Directories .
2. Click Sync CDUG Changes .

3. Wait for Sync Status to show Success .

Rename Cloud Identity Engine Tenants

1. Log in to the hub > Common Services > Tenant Management .
2. Select the tenant > Edit Tenant .

3. Enter the new Name . Click Save . [GOTCHA] Region cannot be changed after creation.

Delete Cloud Identity Engine Tenants

[GOTCHA] A tenant can only be deleted if no other application is using it.

1. (On-prem only) Stop and remove the associated Cloud Identity Agent(s).
2. Log in to the hub > Common Services > Tenant Management .
3. Select the tenant > Delete Tenant .

4. Confirm deletion.

Delete Domains or Directories from Cloud Identity Engine Tenants

Delete Active Directory Domains

[CRITICAL] Must delete from agent config *first*, then from CIE app.

1. Launch agent controller > LDAP Configuration. Select domain > Delete. Commit.

2. Log in to CIE app > Select tenant > Directory. Select domain > Remove. Confirm.

Delete Cloud-Based Directories

1. Log in to CIE app > Select tenant > Directory.
2. Select directory > Actions > Remove. Confirm.

Cloud Identity Engine Attributes

Attributes are unique identifiers (e.g., Distinguished Name) for directory objects (users, computers, groups). CIE uses default attribute names/formats per directory type. Custom attributes need mapping in CIE.

[GOTCHA] Invalid attributes can cause sync failures.

(Tables listing default attributes for each directory type - On-Prem AD, Azure AD, SCIM, Okta, Google, OpenLDAP - would follow here. Due to length, these are omitted but were present in the source.)

Collect Custom Attributes with the Cloud Identity Engine

1. Log in to CIE app > Select tenant > Attributes .
2. Select the directory type.
3. Click on the default attribute value you want to change.

4. Enter the custom attribute name from your directory. Click the checkmark.

5. To revert, select the custom attribute and click Restore Default .

View Directory Data

Allows viewing collected data (users, groups, computers, etc.) and searching for specific objects.

1. Go to Directories page. Click the count number under a category (e.g., Groups) to navigate to Directory Data.

2. Directory Data page displays objects. Use search bar (Text search or Substring match) to find specific items.

3. Use pagination controls to browse.

4. Click Details icon ( ) for an object to see its attributes. User details show first ~2000 groups; Group details show first ~2000 members.

5. Click View Raw Data for full JSON data.

6. Use Copy icon ( ) to copy raw data.
7. Toggle between Direct and Direct and Nested views for group membership.

8. Use search within the details view.

9. Click Go Back to Directory to return.

Cloud Identity Engine User Context

[PCNSA/PCNSE] User Context allows granular sharing of User-ID information (IP-User mappings, IP-Tags, User-Tags, Quarantine Lists, IP-Port mappings) between firewalls using segments. Requires PAN-OS 11.0+.

Simplifies large-scale User-ID deployments, centralizes visibility, and improves VDI scalability.

• Segment: A group of firewalls.
• Publishing Segment: Sends data *from* its member firewalls.
• Subscribed Segment: Receives data *for* its member firewalls from publishing segments.

A firewall/Panorama can publish each data type to only ONE segment but can subscribe to data from up to 100 segments.

[GOTCHA] If using a User-ID Hub firewall with vSys, configure the hub firewall itself as a subscriber in the segment to ensure all vSys receive necessary data.

1. Onboard CIE Instance (requires magic link, CSP registration, license claim).
2. Associate Firewall(s)/Panorama with CIE instance via Hub > Tenant > Device Associations.

3. In CIE app: Go to User Context > Segments > Activate.

4. Configure Publishing Segment (use Default or Add New):
   1. Select segment > Firewalls tab > Select firewalls > Assign Segments.
   
   2. Data Publishing tab: Select the publishing segment for each Data Type (IP User Mappings, IP Tag Mappings, etc.).
   
   3. Review Changes > Save.
   
5. Configure Subscribing Segment (use Default or Add New):
   1. Add New Segment if needed (enter Name, Description).
   
   2. Select the segment > Firewalls tab > Assign firewalls that should *receive* data.
   3. Segments tab: Click Add Segment(s). Select the Publishing Segment(s) this segment should subscribe to. Add.
   
   4. Review Changes > Save.
6. On Firewall/Panorama: Enable User Context Cloud Service:
   1. Ensure Device Certificate is configured.
   2. Go to Device > Setup > Management > PAN-OS Edge Service Settings > Edit.
   
   3. Check Enable User Context Cloud Service . OK.
   
   4. Commit.
7. Verify:
   1. On Firewall: Check Device > Setup > Management > PAN-OS Edge Service Settings > Connection Status shows Active.
   
   2. In CIE App: Go to User Context > Mappings & Tags. Review received data (User-ID, User Tags, IP Tags, IP-Port User, Host IDs).
   

Manage the Cloud Identity Agent

Includes updating the agent, configuring logs, starting/stopping the connection, and managing certificates.

Configure Cloud Identity Agent Logs

Agent logs events locally. Use for monitoring and troubleshooting. Logs include UTC timestamps. Full history in CloudIdAgentDebug.log on the agent host.

1. Launch agent controller > File > Debug.
2. Select log level (None, Error, Warning, Information, Debug, Verbose). Logging level determines which events are logged (selected level and higher severities).
3. [GOTCHA] Info/Warning/Error levels delete UI logs after writing to the debug file. Debug/Verbose store data permanently on disk until files are deleted.

Use Monitoring > Search (case-sensitive) to find specific log entries.

Use Monitoring > Clear Log to clear the UI display (does not delete file logs).

Update the Cloud Identity Agent

Using the latest agent version is strongly recommended. CIE app notifies if an update is available.

(Agent v1.7.0+ automatically backs up and restores config during upgrade).

1. [CRITICAL] Stop the agent service connection first (Controller > Cloud Identity Configuration > Stop).
2. Uninstall the old agent via Windows Control Panel (Programs and Features).
3. Download the new agent from CIE app (Agents & Certificate > Download New Agent).

4. Install the new agent.

Start or Stop the Connection to the Cloud Identity Engine

Use to temporarily halt communication for maintenance or agent removal.

1. Launch agent controller > Cloud Identity Configuration. Status shown at bottom left.

2. Click Start to connect or Stop to disconnect.

Remove the Cloud Identity Agent

[CRITICAL] Agent must be stopped before removal.

1. Stop the agent service connection.
2. Uninstall agent from Windows Control Panel.
3. Log in to CIE app > Select tenant > Agents & Certificates.
4. Verify agent Status is Offline. Click Remove Agent .

Manage Cloud Identity Engine Certificates

[PCNSA/PCNSE] Agent uses unique certificates for mutual TLS authentication with CIE. View cert details (ID, expiry) in CIE app > Agents & Certificates.

Agent v1.5.0+ auto-renews certificates before expiry.

To manually generate a new cert: Click Get New Certificate .

Revoke Cloud Identity Agent Certificates

Use if a certificate is compromised.

1. Log in to CIE app > Select tenant > Agents & Certificates.
2. Click Revoke for the compromised certificate.
3. Delete the old certificate from the agent host (see next section).
4. Generate and install a new certificate.

Delete Obsolete Cloud Identity Agent Certificates

[CRITICAL] Must delete the old certificate from the agent host *before* installing a new one to prevent conflicts.

1. On agent host: Run `mmc.exe`.
2. File > Add/Remove Snap-in > Certificates > Add.

3. Select Computer account > Next > Local computer > Finish > OK.

4. Navigate to Console Root > Certificates (Local Computer) > Personal > Certificates.

5. Find the old CIE agent certificate. Right-click > Delete. Confirm.
6. Install the new certificate.

Associate the Cloud Identity Engine with Palo Alto Networks Apps

Required only if using the Support Account View in the Hub. Not needed for Tenant Account View within a single TSG. Allows other PANW apps (like Cortex XDR, Prisma Access) to access CIE directory data.

Associate the Cloud Identity Engine During Activation

1. Activate the desired PANW cloud app using its Auth Code.

2. During app activation, enter required details (Instance Name, Region).
3. From the Cloud Identity Engine dropdown, select the compatible CIE tenant.
4. Agree and Activate.

Associate the Cloud Identity Engine with an Existing App

1. Log in to the hub > Settings ( ) > Manage Apps.
2. Find the app row. Click the pencil icon or link under the Cloud Identity Engine column.
3. Select the desired CIE tenant from the dropdown. Click OK.

Diagrams

Authentication Flow (SAML Example)

sequenceDiagram
    participant User
    participant Firewall
    participant CIE as Cloud Identity Engine
    participant IdP as SAML Identity Provider

    User->>+Firewall: Request Resource (e.g., website)
    Note over Firewall: Auth Policy triggered
    Firewall->>+CIE: Redirect user for authentication (Auth Profile lookup)
    CIE->>+IdP: Redirect user to IdP (based on Auth Profile)
    User->>+IdP: Authenticates (enters credentials)
    IdP-->>-User: SAML Assertion (Authentication Success)
    User->>+CIE: Presents SAML Assertion
    CIE-->>-Firewall: Authentication successful confirmation
    Firewall-->>-User: Grants access to Resource
    

On-Premises Directory Sync Flow

graph TD
    A[Cloud Identity Agent] -- 1. Query (LDAP/S) --> B(On-Prem Directory);
    B -- 2. Return Attributes --> A;
    A -- 3. Sync Attributes (TLS) --> C(Cloud Identity Engine);
    C -- 4. Provide Data --> D[PANW Apps e.g., Prisma Access, Firewall];
    

Cloud Directory Sync Flow (e.g., Azure AD via API)

graph TD
    subgraph Cloud
        A[Cloud Identity Engine]
        B[Azure Active Directory]
    end
    A -- 1. API Call (Read Attributes) --> B;
    B -- 2. Return Attributes --> A;
    A -- 3. Provide Data --> C[PANW Apps e.g., Prisma Access, Firewall];
    

User Context Flow (Simplified)

graph TD
    subgraph Network Segment 1 (Publishing)
        FW1[Firewall 1]
        FW2[Firewall 2]
    end
    subgraph Network Segment 2 (Subscribing)
        FW3[Firewall 3]
    end
    subgraph Cloud
        CIE[Cloud Identity Engine - User Context Service]
    end

    FW1 -- Publishes IP-User Mappings --> CIE;
    FW2 -- Publishes IP-Tag Mappings --> CIE;
    CIE -- Distributes Mappings based on Subscription --> FW3;
    

Cloud Identity Engine Quiz

Answer all questions and click Submit to see your results.

Submit Quiz