Cloud Identity Engine Discussions

Welcome to the Cloud Identity Engine Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

What is source of SSO and how to stop it

Domain joined PC, ADFS in environment, Hybrid Azure AD setup, Authentication policy o n Palo setup to use CIE(Cloud Identity Engine) with identities synced from Azure AD and On-Prem AD When ever I am clearing user ip mapping from the cache and try to test. I can see that authentication policy gets hit as captive portal redirect happens. But it d...

CIE queries

Trying to setup and test Cloud Identity Engine. CIE is only synced with Azure AD right now On-prem AD is not yet setup to sync to CIE Source user allowed in policy is user@abc.com , Why the log shows abc\user ??? Since Identities are synced to Azure AD from On-Prem (Hybrid AD environment), Do we still need to syn On-Prem AD to CIE ????? Wh...

Cloud Identity Engine Azure AD as a service

I am confused about Cloud Identity,, on how and what to use for Azure AD as a service to map IP's to username when users login to Azure AD from their surface device.

Failed to save "PhoNATt". - NAT extension cannot be enabled for the device having support for nat policy.

We have ION 2K device and unable to enable the NAT policies in this device after upgrading it to 5.4.13 ION version. Getting the following error, I am not sure how to enable it but there might be an issue with stack configuration as of now it is default stack NAT configuration so. Please suggest to me on this issue and how to fix this issue. tha...

Free Cloud Identity Engine (CIE) training!

At Palo Alto Beacon there is a grat learning called "Identity at Palo Alto Networks" for this that can be checked. https://beacon.paloaltonetworks.com/student/catalog Also live community youtube channel has some usefull stuff: https://www.youtube.com/watch?v=k3izt2j33jI&t=635s

CIE Free?

Is ClE free or subscription based? Are there any limitation on how many groups it can sync?

Administrator CLI access via Cloud Identity Engine

Hi Experts “Administrators can use SAML to authenticate to the firewall or Panorama web interface but not to the CLI”, as mentioned in the PAN-OS administrator documentation. Can we use the Cloud Identity Engine instead to authenticate administrators to the CLI? So that we connect via SAML to the CIE, and we use CIE in an authentication profi...

Why should customers use Cloud Identity Engine and User-ID on the firewall for identity-based security?

Cloud IAM vendors are meant for Identities (managing users and groups), but they do not enforce security policies on these identities as they are not a firewall. With PANW, our customers can authenticate using groups/users in these Cloud IdPs and enforce identity-based security policies (URL Filtering, Cred Phishing, etc.) Customers can achieve ...

How is the cloud Identity Engine different from other IAM vendors (e.g., Okta or Ping or Azure AD)?

Cloud Identity Engine is a broker service and not IAM. It collects user and group information from multiple IAM vendors—like Okta Ping, and similar platforms—making the info uniformly available across all firewalls. Customers will continue to leverage their IAM providers; however, they no longer need to connect every IAM with every firewall. C...

Discussions