The Cloud Identity Engine consists of two components: Directory Sync, which provides user information, and the Cloud Authentication Service, which authenticates users. For a more comprehensive identity solution, Palo Alto Networks recommends using both components, but you can configure the components independently.
The Cloud Authentication Service uses a cloud-based service to provide user authentication using SAML 2.0-based Identity Providers (IdPs). When the user attempts to authenticate, the authentication request is redirected to the Cloud Authentication Service, which redirects the request to the IdP. After the IdP authenticates the user, the firewall maps the user and applies the security policy. By using a cloud-based solution, you can reallocate the resources required for authentication from the firewall or Panorama to the cloud. The Cloud Authentication Service also allows you to configure the authentication source once instead of for each authentication method you use (for example, Authentication Portal or administrator authentication).
Learn more here.