Cloud IAM vendors are meant for Identities (managing users and groups), but they do not enforce security policies on these identities as they are not a firewall. With PANW, our customers can authenticate using groups/users in these Cloud IdPs and enforce identity-based security policies (URL Filtering, Cred Phishing, etc.) Customers can achieve the same outcomes if they use Okta with PANW firewalls or Okta with Fortinet firewalls; however, a cloud-offered service like Cloud Identity Engine keeps users and group information in sync with the cloud IdP and onprem Idps providers to PANW firewall products. This way, the user information is dynamically updated at all times.
... View more
Cloud Identity Engine is a broker service and not IAM. It collects user and group information from multiple IAM vendors—like Okta Ping, and similar platforms—making the info uniformly available across all firewalls. Customers will continue to leverage their IAM providers; however, they no longer need to connect every IAM with every firewall.
Cloud IAM tools (like OKTA, Ping, Azure AD, etc.) are meant for identities—i.e. for maintaining users and user group information. But they are not firewall companies, and so cannot and do not enforce security policies. With Palo Alto Networks, customers can authenticate users using groups/users in these Cloud IdPs and enforce identity-based security policies—such as Credential Phishing—along with our URL Filtering subscription.
A cloud-offered service like Cloud Identity Engine keeps users and group information in sync with the Cloud IdP and On-prem Idps to PANW firewall at all times. By dynamically updating user information, complexity and operational burden are greatly reduced.
... View more
The Cloud Identity Engine consists of two components: Directory Sync, which provides user information, and the Cloud Authentication Service, which authenticates users. For a more comprehensive identity solution, Palo Alto Networks recommends using both components, but you can configure the components independently.
The Cloud Authentication Service uses a cloud-based service to provide user authentication using SAML 2.0-based Identity Providers (IdPs). When the user attempts to authenticate, the authentication request is redirected to the Cloud Authentication Service, which redirects the request to the IdP. After the IdP authenticates the user, the firewall maps the user and applies the security policy. By using a cloud-based solution, you can reallocate the resources required for authentication from the firewall or Panorama to the cloud. The Cloud Authentication Service also allows you to configure the authentication source once instead of for each authentication method you use (for example, Authentication Portal or administrator authentication).
Learn more here.
... View more