Cloud Identity Engine Discussions

Welcome to the Cloud Identity Engine Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

cloud identity engine and Entra ID certificate warning

Dear community! We use cloud identity engine (CIE) to authenticate users with Microsoft Entra as idp We have renewed Entra SAML Certificate, imported the new metadata to Cloud Identity Engine, and now the Identity Engine display a blue info message stating:"The service provider (SP) certificate for the Cloud Identity Engine has been renewed. T...

Cloud Identity Engine for On-Premises Global Protect

Has anyone used the Cloud Identity Engine for authentication for an on-prem Global Protect portal/gateway?I'm experimenting with the CIE. It works great for admin login to the GUI, but I'm trying to set it up as an auth source for GP. It is working just fine on the portal for web browser auth (i.e. to download the agent), but I'm getting authent...

Okta Directory - Collect Enterprise Applications

Hello guys, What are the use-cases of "Collect Enterprise Applications" from Okta. How, where, I can use those collected informations ?!!

Using more than one CIE Agent

We installed the CIE Agent to send AD info to CIE. I recently discovered another team had deployed the Agent on another server, for the same domain. We *think* it is about this time we started not seeing group information in our XDR Assets and other user info. Should we have two CIE agents installed to access the same domain?

CIE agent not connecting to AD servers

We have installed the CIE agent on a Windows server 2022 standard. We have configured it with all the necessary information. Certificate installed from CIE cloud. The agent connects to CIE in cloud It is not connecting to the AD servers. We have verified the configuration for the bind and password and domain. When perform the test configuration...

Block O365/Azure Entra ID account with ITDR Module

Hello Community, I need to block an O365/Azure Entra ID account using the Cortex ITDR Module due to suspicious login activity, but I can't find any manuals on how to do this. Any assistance would be greatly appreciated. Thanks in advance, Best Regards, Max

Globalprotect login stuck in "Connecting" phase after successful authentication via Azure AD - CIE NOT USING COOKIE Solution

cookie solution will not be best practices very soon with the advancements of AI . Need a solution using the individual Device certificate and User certs or other recommendations. We are trying to harden our GP environment With at least TLS3 at a minimum GOAL is FIDO2 and MFA3 and not using Prisma access gateway and browser. (government Zero bas...

do CIE mappings timeout?

Dear community! Does someone know if the user-group mappings learned from the CIE timeout if for instance the cloud becomes unavailable? If there´s a timeout that refreshes the mappings, what could be a backup for this outage situations, having the user-id group mappings pointing to the local AD? Many thanks in advance.

Welcome to the Cloud Identity Engine Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

Cloud Identity "disclaimer" on enabling service is not acceptable !!!

Why is Palo Alto stating the following disclaimer when enabling Cloud Identity on our Cloud Instance? This is not acceptable due to privacy and compliance concerns. What's the process for opting out of this?

trigger google directory full sync by API call or webhook?

Is there any way to trigger a full sync of a Google directory in CIE without a web browser? My user deprovisioning is mostly automated (scripted) except for opening a web browser to go into CIE to do a full sync, somewhere between disabling the user in Google and making an XML API call to the firewall to request user-id refresh cloud-identity-...

Resolved! Is any possible to customize CIE login page？

Hello Everyone, We set a CIE authentication profile for multiple Azure AD SAML authentication, and it works normally. We would like to customize login page, but can not find out the config setting. s any possible to customize CIE login page？ Thanks. Regards, Joy Liu

Redistribute group mappings?

Hi all, my CIE has all group information populated and I have Panorama and 3 firewalls. Can I integrate Panorama with CIE to pull down the group mapping information from CIE and then Panorama share/redistribute these group mappings with the 3 firewalls? Or do I need to configure Panorama and all 3 firewalls to pull this information from CIE dire...

CIE and Panorama in different CSPs?

Hey there, scenario is CIE is in one Palo CSP and Panorama is in a different Palo CSP (the reason why is they are managed by different companies). Should Panorama be able to pull group mappings that exist in CIE, even though the two are in different CSPs? Thanks DJ

CIE Azure AD/Entra AD guest upn match Global Protect login user

I am trying to see how I can get the Cloud Identity Engine to match Global Protect SSO (Also from Azure AD/Entra) upn for the user. I have a sister company that I have invite certain users in as external guests and added them to aad groups, which is assigned to allow them to connect to AAD enterprise app for Saml SSO. But CIE will return diffe...

Unlock your full community experience!

Resolved! Is any possible to customize CIE login page？