Cloud Identity Engine Release Notes

Cloud Identity Engine Release Notes
August 2023
docs.paloaltonetworks.com
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
documentation@paloaltonetworks.com.
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2017-2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
August 17, 2023
Cloud Identity Engine Release Notes August 2023 2 ©2023 Palo Alto Networks, Inc.
Table of Contents
Welcome to the Cloud Identity Engine........................................................ 5
Cloud Identity Engine System Requirements....................................................................... 6
New Features Introduced in August 2023......................................................................... 11
New Features Introduced in July 2023...............................................................................12
New Features Introduced in June 2023..............................................................................13
New Features Introduced in May 2023.............................................................................. 14
New Features Introduced in April 2023............................................................................. 15
New Features Introduced in January 2023........................................................................16
New Features Introduced in November 2022...................................................................17
New Features Introduced in October 2022.......................................................................19
New Features Introduced in June 2022..............................................................................20
New Features Introduced in May 2022.............................................................................. 21
New Features Introduced in April 2022............................................................................. 22
New Features Introduced for the Cloud Identity Agent................................................. 23
Cloud Identity Engine Known and Addressed Issues....................................................... 25
Get Help............................................................................................................. 27
Related Documentation........................................................................................................... 28
Request Support........................................................................................................................ 29
Table of Contents
Welcome to the Cloud Identity
Engine
To provide user, group, device, organizational unit, and container information for policy or event
context, Palo Alto Networks cloud-based applications and services may need to access directory
information. The Cloud Identity Engine collects attributes from your directory and stores them in
a secure, cloud-based infrastructure that allows your Palo Alto Networks cloud-based applications
and services to access the directory information.
When you configure an authentication type (either a client certificate or a SAML 2.0-based
identity provider) in the Cloud Identity Engine, you can configure the Palo Alto Networks
firewall to use that authentication type for user authentication in an Authentication policy rule.
Configuring both user identification and user authentication using the Cloud Identity Engine
provides a single-source identity solution that can adapt as your security needs change.
5
Welcome to the Cloud Identity Engine
Cloud Identity Engine System Requirements

Cloud Identity Agent Host System Requirements
You must disable SSL decryption on the firewall for traffic to or from the agent host.
• Windows Server 2012, 2012 R2, 2016, 2019, or 2022.

• 10 GB or more of hard drive space (or space equivalent to the amount of data fetched from the
Active Directory).
• 8 GB or more of RAM.
• Administrator privileges to install the agent, configure it, and import the certificate you
generate in the Cloud Identity Engine app.
• A service account with permissions to execute LDAP queries against the domains where you
want to collect attributes.
• Access to OCSP on port 80 for server certificate verification.
• Network connectivity to the domain controller and the Cloud Identity Engine app.
• TLS 1.2 to allow traffic from the agent host to the Cloud Identity Engine app.
• The required cipher suites for the agent.
• Access to the following TCP ports from the agent host:
Destination Port Protocol Description
80 TCP Port the agent uses for server

certificate verification.
443 SSL Default port the agent uses to

connect to the Cloud Identity
Engine.
636 LDAPS Port the agent uses when you

select LDAPS as the secure
protocol for communication
between the agent and your
directory.
389 LDAP or LDAP with Port the agent uses when you
STARTTLS select LDAP or LDAP with
STARTTLS for communication
between the agent and your
directory.
Destination Port Protocol Description

If you use LDAP
without Start TLS,
communication
between the agent
and the directory isn’t
encrypted.
When you configure the Active Directory in the Cloud Identity agent, don’t configure
the agent to use the Global Catalog port (3268 for LDAP or 3269 for LDAPS).
If you’re also using the Terminal Server (TS) agent, we recommend that you don’t install
the Cloud Identity agent on the same host as the TS agent. If you must install both
agents on the same host, you must change the default listening port on the TS agent.
Smart Card Requirements

The Cloud Identity Engine, when integrated with GlobalProtect, supports certificate-based two-
factor authentication using smart cards that meet the following requirements:
• Windows 10 or later versions
• Mac OS X or later versions
• Firefox, Chrome, or Safari
If you aren’t using a smart card, you must import the certificate to the system level for
certificate-based authentication.
Supported Directories
The Cloud Identity Engine supports the following directory types:
• On-premises directories (Microsoft Active Directory and OpenLDAP)
• Microsoft Azure Active Directory
• Okta Directory
• Google Cloud Identity
On-Premises Directory System Requirements
Verify that you have enabled TLS 1.1 or TLS 1.2. Directory Sync Service requires one of
these protocols, which are disabled by default on Windows Server 2012. We strongly
recommend using TLS 1.3. If you’re using Windows Server 2012, install the required
update to enable TLS 1.1 or TLS 1.2.
An on-premises Windows server running Active Directory or OpenLDAP. Use one of the
following:
• Windows Server 2022

• Windows Server 2012 R2
If you select a secure LDAP protocol for the communication between the agent and the
directory, verify that protocol is enabled on your directory. For more information, refer to
Microsoft support.
Azure Active Directory System Requirements

Administrator privileges to the Azure Active Directory to grant the following permissions for the
Cloud Identity Engine:
• Read your organization’s directory data.
• Maintain access to the directory data.
• View user email addresses.
• Sign users in to see basic user profile information.
For more information on requirements for Azure Active Directory, refer to the Cloud Identity
Engine Getting Started guide.
Okta Directory System Requirements

Read-Only Administrator privileges to the Okta Directory to grant the following permissions for
the Cloud Identity Engine:
• Allow the app to manage authorization servers.
• Allow the app to read information about groups and their members in your Okta organization.
• Allow the app to read information about System Log entries in your Okta organization.
• Allow the app to read any user's profile and credential information.
• Allow the app to read the currently signed-in user's profile and credential information.
For more information on requirements for Okta directory, refer to the Cloud Identity Engine
Getting Started guide.
Google Cloud Identity

Administrator privileges to Google Cloud Identity to grant the following permissions for the Cloud
Identity Engine:
• Admin console privileges

• Organizational Units > Read
• Users > Read
• Groups
• Services > Mobile Device Management > Manage Devices and Settings
• Services > Chrome Management > Settings > Manage Chrome OS > Devices > Manage
Chrome OS Devices (read only)
• Domain Settings
• Admin API privileges
• Organization Units > Read
• Users > Read
• Groups
• Groups > Create
• Groups > Read
• Groups > Update
• Groups > Delete
• Billing Management > Billing Read
• Domain Management
For more information on requirements for Google Cloud Identity, refer to the Cloud Identity
Cloud Identity Engine App System Requirements

Access to the Cloud Identity Engine app requires the following:
• A supported browser, such as Google Chrome (see Hub Browser Support for a list of supported
browsers).
• Access to the hub with an App Administrator role.
Regional Data Storage Requirements

The Cloud Identity Engine stores your directory data in a secure cloud-based infrastructure. The
Cloud Identity Engine is hosted on Google Cloud Platform and data is stored in Mongo DB Atlas in
the region you select. You can select one of the following regions for each Cloud Identity Engine
instance:
• United States (US)
• European Union (EU)
• United Kingdom (UK)
• Singapore (SG)
• Canada (CA)
• Japan (JP)
• Australia (AU)
• Germany (DE)
• United States - Government
• India (IN)
• Switzerland (CH)
• Spain (ES)
• Italy (IT)
• France (FR)
• China (CN)
• Poland (PL)
• Qatar (QA)
• Taiwan (TW)
If you authorize an application in a region other than the region of your Cloud Identity Engine
instance, the Cloud Identity Engine transfers the directory data that the application needs to that
region. For example, if you authorize an application running outside the EU, that application can
access Cloud Identity Engine data stored in the EU. You can associate some applications, such as
Cortex XDR, only with a Cloud Identity Engine instance in the same region as the application. To
check the status of the Cloud Identity Engine, refer to https://status.paloaltonetworks.com.
New Features Introduced in August 2023

The following table provides a snapshot of new features introduced for the Cloud Identity Engine
app in August 2023. Refer to the Cloud Identity Engine documentation for more information on
how to use the Cloud Identity Engine.
Feature Description
Logical Operator Enhancement for You can now use logical operators with attribute-
Attribute-Based Cloud Dynamic User based Cloud Dynamic User Groups to define
Groups logic-based conditions for Cloud Dynamic User
Groups. This allows you to create even more
adaptable and detailed groups to quickly adapt to
user access needs.
New Features Introduced in July 2023

app in July 2023. Refer to the Cloud Identity Engine documentation for more information on how
to use the Cloud Identity Engine.
Feature Description
Support for Qatar (QA) and Taiwan (TW) The Cloud Identity Engine now supports instances
Regions in the Qatar (QA) and Taiwan (TW) regions for
customers who must store the data synced
from their directories in either of these regions
to comply with data regulation requirements.
For more information on how to configure
these regions, refer to Regional Data Storage
Requirements in the Cloud Identity Engine System
Requirements. If you're using a Cloud Identity
agent, refer to Configure the Cloud Identity
Agent. If you use the Cloud Identity Engine for
authentication, refer to Configure the Cloud
Identity Engine in an Authentication Profile.
New Features Introduced in June 2023

app in June 2023. Refer to the Cloud Identity Engine documentation for more information on how
Feature Description
Directory Details Enhancements When you view Directory Details, you can now:
• Query the data to search for detailed
information
• View data as nested or direct
• Paginate the detailed data
View Enterprise Application Data When you configure an Azure Active Directory or
an Okta directory, you can now collect enterprise
application so that it displays when you View
Directory Data.
View Only administrator role You can now configure an administrator role
that has view-only privileges for Cloud Identity
Engine data. This new role allows users to view all
data available for the current tenant in the Cloud
Identity Engine, including detailed data for Active
Directory.
Support for the Cloud Identity Engine The Cloud Identity Engine SCIM Connector is now
SCIM Connector in the Okta Integration available as an application in the Okta Integration
Network Network. If you're using the SCIM Connector
with your Okta directory, Palo Alto Networks
strongly recommends using the gallery app as an
alternative to the custom app.
Risk attribute support in Cloud Dynamic Cloud Dynamic User Groups now support groups
User Groups based on anomalous user behavior attributes
detected by Microsoft Active Directory Identity
Protection. This allows you to create groups
where membership is based on attributes such
as risk level (high, medium, and low) and the
type of risky activity (such as an unusual login
location). By applying the assessments of your
user's behavior in your Cloud Dynamic User
Groups, you can strengthen your Security policy
by creating groups that automatically respond to
changing user needs and activity.
New Features Introduced in May 2023

app in May 2023. Refer to the Cloud Identity Engine documentation for more information on how
Feature Description
Cloud Dynamic User Groups Cloud Dynamic User Groups allow you to create
flexible groups that can quickly adapt their
membership to match attribute changes that
you define. You can even combine attributes to
further refine the group membership, making
creation of user-based rules even more granular
and extensible. Cloud Dynamic User Groups also
allow you to instantly assign users to On Demand
groups, which are custom static groups where the
group membership remains the same until you
manually make changes.
SCIM Connector for Okta Configuring the System for Cross-Domain Identity
Management (SCIM) protocol for Directory
Sync in the Cloud Identity Engine allows you to
customize which attributes and groups Directory
Sync collects from your Okta Directory server.
You can specify the attributes that you want to
share with the Cloud Identity Engine by adding
or removing the attributes in the Okta Directory
management console.
Support for China (CN) and Poland (PL) The Cloud Identity Engine now supports instances
Regions in the China (CN) and Poland (PL) regions for
customers who must store the data synced
Requirements in the Cloud Identity Engine System
Requirements. If you're using a Cloud Identity
agent, refer to Configure the Cloud Identity
Agent. If you use the Cloud Identity Engine for
authentication, refer to Configure the Cloud
Identity Engine in an Authentication Profile.
New Features Introduced in April 2023

app in April 2023. Refer to the Cloud Identity Engine documentation for more information on how
Feature Description
Force Authentication The Cloud Identity Engine now supports the

capability to require users to authenticate
using their credentials to reconnect to
GlobalProtect, even if the SAML authentication
token is still valid. The Force Authentication
option helps provide the ability to meet strict
security requirements to ensure that your
users are in compliance with your security
policy requirements for your SAML 2.0-based
identity provider (IdP), and to prevent outdated
credentials from being used to access resources.
In this release, the Cloud Identity Engine supports
Force Authentication for Okta, Azure Active
Directory, and PingOne. For more information,
refer to Configure a SAML 2.0 Authentication
Type in the Cloud Identity Engine Getting
Startedguide.
New Features Introduced in January 2023

app in January 2023. Refer to the Cloud Identity Engine documentation for more information on
Feature Description
Support for France (FR) Region The Cloud Identity Engine now supports instances
in the France (FR) region for customers who
must store the data synced from their directories
in this region to comply with data regulation
requirements. For more information on how
to configure this region, refer to Regional Data
Storage Requirements in the Cloud Identity
Engine System Requirements. If you are using a
Cloud Identity agent, refer to Configure the Cloud
Identity Agent. If you use the Cloud Identity
Engine for authentication, refer to Configure the
Cloud Identity Engine in an Authentication Profile.
New Features Introduced in November 2022

app in November 2022. Refer to the Cloud Identity Engine documentation for more information
on how to use the Cloud Identity Engine.
Feature Description
Support for Spain (ES) and Italy (IT) Regions The Cloud Identity Engine now supports
instances in the Spain (ES) and Italy (IT) regions
for customers who must store the data synced
Requirements in the Cloud Identity Engine
System Requirements. If you are using a Cloud
Identity agent, refer to Configure the Cloud
Engine for authentication, refer to Configure
the Cloud Identity Engine in an Authentication
Profile.
User Context User Context for the Cloud Identity Engine

provides unparalleled visibility into your user
identification and device information (such as
tags, quarantine lists, and mappings, which now
includes IP-address-to-port number mappings
from Terminal Server agents) and provides
a simple yet precise way to redistribute that
information to other firewalls and devices
within your network through segmentation (for
example, by region or use case). By enabling
the service on your firewall and defining
information distribution for your network
segments in the Cloud Identity Engine, you can
quickly locate critical information and ensure
consistent user-based policy enforcement
across your network. User Context represents
the next expansion of User-ID in a unified
interface on the Cloud Identity Engine and
presents actionable user identity information at
a glance.
Monitor Cloud Identity Engine Status You can now monitor the status of the Cloud
Identity Engine on the firewall associated with
the Cloud Identity Engine tenant. For example,
if a required certificate for the Cloud Identity
Feature Description
Engine expires or a profile is unavailable, the
firewall displays a message in the system logs.
For more information, refer to Monitor Cloud
Identity Engine Status in the Cloud Identity
Support for Switzerland (CH) Region The Cloud Identity Engine now supports
instances in the Switzerland (CH) region
for customers who must store the data
synced from their directories in this region
this region, refer to Regional Data Storage
Requirements in the Cloud Identity Engine
System Requirements. If you are using a Cloud
Identity agent, refer to Configure the Cloud
Engine for authentication, refer to Configure
the Cloud Identity Engine in an Authentication
Profile.
New Features Introduced in October 2022

app in October 2022. Refer to the Cloud Identity Engine documentation for more information on
Feature Description
SCIM Connector for PingFederate Configuring the System for Cross-Domain Identity
Management (SCIM) protocol for Directory
Sync collects from your PingFederate server. You
can specify the attributes that you want to share
with the Cloud Identity Engine for user and group
identification by adding or removing the attributes
in the PingFederate management console.
New Features Introduced in June 2022

app in June 2022. Refer to the Cloud Identity Engine documentation for more information on how
Feature Description
Client credential authentication for Azure Using a service account for the Cloud Identity
Active Directory Engine app is strongly recommended, as this is
a more secure method for directory access and
does not require the account to be associated
with a specific user. When you grant just two
read-only permissions for the Cloud Identity
Engine to your Azure AD, the Client Credential
Flow option for Azure AD in the Cloud Identity
Engine allows you to configure a service account
for your Azure AD in the Cloud Identity Engine
app.
Changes for directory attributes The June 2022 release for the Cloud Identity
Engine includes the following directory attribute
changes:
• For on-premises Active Directory, the Cloud
Identity Engine now supports the Admin Count
(adminCount) attribute for Users, Groups, and
Computers.
• For Google Directory, the Location attribute is
now locations.area.
Refer to the Cloud Identity Engine documentation
for more information on about the attributes that
the Cloud Identity Engine collects.
New Features Introduced in May 2022

app in May 2022. Refer to the Cloud Identity Engine documentation for more information on how
Feature Description
New search options for directory data When searching directory data, you can now filter
your search results by searching for the complete
search term only or include partial matches for
the search term as well. Learn more about how to
search and View Directory Data.
New Features Introduced in April 2022

app in April 2022. Refer to the Cloud Identity Engine documentation for more information on how
Feature Description
SCIM Connector for Azure Active Configuring the System for Cross-Domain Identity
Directory Management (SCIM) protocol for Directory
Sync collects from your Azure Active Directory
(Azure AD). You can specify the attributes that
you want to share with the Cloud Identity Engine
for user and group identification by adding or
removing the attributes in the Azure Portal.
Multiple Authentication Mode To simplify the process of identifying and

authenticating users, the Cloud Identity Engine
now supports certificate-based authentication
in addition to multiple SAML 2.0-based identity
providers in a single authentication profile. It now
also supports group-based authentication so that
you can specify different authentication types for
particular groups or directories. This helps ensure
that users experience a smooth login process
regardless of the method they use to authenticate
and makes it easier to deploy identity-based
security policy.
New Features Introduced for the Cloud Identity Agent

The following table provides a list of new features introduced for the Cloud Identity agent. Refer
to the Cloud Identity Engine documentation for more information on how to use the Cloud
Identity Engine.
The Directory Sync agent has been rebranded as the Cloud Identity agent to integrate
with the Cloud Identity Engine.
Feature Description Introduced In Agent

Version
Cloud Identity agent The Cloud Identity agent now 1.8.1

support for Windows supports Windows Server 2022
Server 2022 as an agent host. For more
information on how to install the
Cloud Identity agent, refer to the
Cloud Identity Engine Getting
Started guide.
Base DN Requirement The Cloud Identity agent now 1.8.1

for OpenLDAP directory requires the base Distinguished
servers Name (Base DN) for OpenLDAP
directory servers to ensure
successful directory search
completion.
Agent support for on- The Cloud Identity agent now 1.8.0
premises OpenLDAP- supports retrieval of directory
based directory servers attributes from on-premises
OpenLDAP-based directory
servers. For more information
on how to configure the Cloud
Identity agent to provide directory
attributes to Prisma Access and
other Palo Alto Networks apps,
refer to the Cloud Identity Engine
Getting Started guide.
Agent support for proxy Many network configurations 1.7.1

connection use a web proxy to secure
internet-bound traffic. To provide
support for this type of network
configuration, the Cloud Identity
agent now allows you to configure
a proxy server IP address and port.
This new capability allows you
to use the Cloud Identity agent
to collect attributes from an on-
Feature Description Introduced In Agent

Version
premises Active Directory through
an explicit proxy connection.
Automatic Restart for The behavior of the agent has 1.7.0

Unexpected Shutdown been modified so that if the agent
stops working unexpectedly,
the agent restarts automatically.
This behavior does not occur if
the agent is stopped or closed
manually.
Improved Handling for The behavior of the agent has 1.7.0

Lost Connections been modified so that if the
agent becomes unresponsive
during a sync (for example, if
a connection drops), the agent
recovers gracefully.
Improved Logging The agent now logs the 1.7.0

for Errors and Query ldap_search commands that
Messages the Active Directory receives
and provides more detailed
error messages for improved
troubleshooting.
NetBIOS Validation During The agent now validates the 1.7.0

Connectivity Test NetBIOS name based on the
domain you configure when you
check connectivity with the Active
Directory.
TLS Security Enhancement To strengthen the security of the 1.7.0

Cloud Identity agent, the agent
now uses the highest TLS version
available on the host by default.
Cloud Identity Engine Known and Addressed Issues

There are no known or addressed issues for the current release of the Cloud Identity Engine.
For current lists of known and addressed issues, which may include issues related to the Cloud
Identity Engine, refer to the following documentation:
• PAN-OS 11.0 release notes
• GlobalProtect release notes
• Prisma Access (Panorama Managed) release notes
• Prisma Access (Cloud Managed) release notes
Get Help
The following topics provide information on where to find more about this release and how to
request support:
• Related Documentation
• Request Support
27
Get Help
Related Documentation
For more detailed information on how to use the new Cloud Identity Engine features, refer to the
following Cloud Identity Engine documentation. For help with other Palo Alto Networks cloud
services or products, refer to the following documentation on the Technical Documentation portal
or search the documentation for more information on our products:
• Cloud Identity Engine Getting Started Guide—Walks you through the process of setting up the
Cloud Identity agent to obtain attributes from your Active Directory and configuring the Cloud
Identity Engine to communicate with the agent.
• Cloud Identity Agent Help—Provides guidance on the user interface for the Cloud Identity
agent.
• Cortex Documentation—Learn how to extend the next-generation security platform into the
cloud for simplified deployment and reduced infrastructure and operational overhead.
• Hub Getting Started Guide—Read the Getting Started Guide to learn how to use the hub to
activate and access your Cortex apps and services.
Get Help
Request Support
For contacting support, for information on support programs, to manage your account or devices,
or to open a support case, refer to https://support.paloaltonetworks.com.
You can also use the Palo Alto Networks® Contact Information as needed.
To provide feedback on the documentation, please write to us at:
documentation@paloaltonetworks.com.
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
https://www.paloaltonetworks.com/company/contact-support
Palo Alto Networks, Inc.
www.paloaltonetworks.com
Get Help

Cloud Identity Engine Release Notes

Uploaded by

Copyright:

Available Formats

Cloud Identity Engine Release Notes

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cloud Identity Engine Release Notes

Uploaded by

Copyright:

Available Formats

Cloud Identity Engine Release Notes

About the Documentation

Cloud Identity Engine System Requirements

• Windows Server 2012, 2012 R2, 2016, 2019, or 2022.

Destination Port Protocol Description

80 TCP Port the agent uses for server

443 SSL Default port the agent uses to

636 LDAPS Port the agent uses when you

Destination Port Protocol Description

Smart Card Requirements

On-Premises Directory System Requirements

• Windows Server 2012

Azure Active Directory System Requirements

Okta Directory System Requirements

Google Cloud Identity

• Admin console privileges

Cloud Identity Engine App System Requirements

Regional Data Storage Requirements

New Features Introduced in August 2023

New Features Introduced in July 2023

New Features Introduced in June 2023

New Features Introduced in May 2023

New Features Introduced in April 2023

Force Authentication The Cloud Identity Engine now supports the

New Features Introduced in January 2023

New Features Introduced in November 2022

User Context User Context for the Cloud Identity Engine

New Features Introduced in October 2022

New Features Introduced in June 2022

New Features Introduced in May 2022

New Features Introduced in April 2022

Multiple Authentication Mode To simplify the process of identifying and

New Features Introduced for the Cloud Identity Agent

Feature Description Introduced In Agent

Cloud Identity agent The Cloud Identity agent now 1.8.1

Base DN Requirement The Cloud Identity agent now 1.8.1

Agent support for proxy Many network configurations 1.7.1

Feature Description Introduced In Agent

Automatic Restart for The behavior of the agent has 1.7.0

Improved Handling for The behavior of the agent has 1.7.0

Improved Logging The agent now logs the 1.7.0

NetBIOS Validation During The agent now validates the 1.7.0

TLS Security Enhancement To strengthen the security of the 1.7.0

Cloud Identity Engine Known and Addressed Issues

You might also like