1. Overview

Prisma Cloud Console supports multiple authentication methods. Check with your administrator to see how sign-in has been implemented for your organization, then choose the appropriate method from the drop-down list.

login

The options are:

  • Local/ LDAP — Users are evaluated against Console’s database before the LDAP database. By default, initial admin users are created in Console’s local database, so choose this option when you’re logging in with your first user. If you integrate with a central identity provider, you can always delete the initial admin user, so that all users authenticate in compliance with your organization’s policy (e.g., 2FA).

    If the same username exists in both databases, it’s not possible to login with the LDAP user.

  • SAML — Security Assertion Markup Language (SAML) is an open standard that enables single sign-on. Prisma Cloud supports all standard SAML 2.0 providers.

  • OAuth — Prisma Cloud currently supports GitHub and OpenShift for OAuth login. For the OAuth login flow, Prisma Cloud gets permission from the user to query their information (username and email) from GitHub or OpenShift, and then checks the local database to determine if the user is authorized to access Prisma Cloud Console. If so, Prisma Cloud issues a token to the user to access Console.

  • OpenID Connect — OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. Prisma Cloud supports all standard OpenID Connect providers.

2. Login flow

If you integrate Prisma Cloud with an identity provider (IdP), the user’s identity is verified by the IdP, and the role is mapped in Prisma Cloud Console.

If you don’t want to integrate with an IdP, Prisma Cloud lets you create "local" users and groups, where the Console itself both authenticates and authorizes users.

login flow

3. Direct login URL

Direct login URLs are supported for SAML, OAuth and OIDC. When you use the direct login URL, the client doesn’t need the extra step of selecting an auth provider from the Prisma Cloud login page.

Set type in the direct login URL:

https://<CONSOLE>:<PORT>/api/v1/authenticate/identity-redirect-url?type=<oauth/oidc/saml>&redirect=true