1. Overview

OpenShift users can log into Prisma Cloud Console using OpenShift as an OAuth 2.0 provider.

The OpenShift master includes a built-in OAuth server. You can integrate OpenShift authentication into Prisma Cloud. When users attempt to access Prisma Cloud, which is a protected resource, they are redirected to authenticate with OpenShift. After authenticating successfully, they are redirected back to Prisma Cloud Console with an OAuth token. This token scopes what the user can do in OpenShift. Prisma Cloud only needs the auth token to get the user’s info (e.g. user name, email), and check the Prisma Cloud database to see if this user is authorized. If so, Prisma Cloud creates a JWT token, with a role claim, to complete the authentication process to Console. Roles are assigned based on users and group information specified in Console.

The following diagram shows the login flow when the auth provider is LDAP. With LDAP, users enter their credentials in Prisma Cloud Console, and Prisma authenticates with the LDAP server on the user’s behalf. With all other auth providers, Prisma isn’t part of verifying the user credentials Instead Prisma redirects the client to the auth provider for authentication. Once the user successfully authenticates via the authentication provider, the client is redirected back to Prisma Cloud Console with an object (SAML assertion for SAML, JWT token for OIDC, Access token for OAuth 2.0) that proves a successful login or, in the OAuth 2.0 case, gives us access to the application to verify the user identity.

oauth openshift flow

Prisma Cloud supports the authorization code flow only.

2. Integrate Prisma Cloud with OpenShift

Configure Prisma Cloud so that OpenShift users can log into Prisma Cloud with the same identity.

  1. In OpenShift, register Prisma Cloud as an OAuth client. Set the redirect URL to:

    https://<CONSOLE>:<PORT>/api/v1/authenticate/callback/oauth.

  2. Log into Prisma Cloud Console.

  3. Go to Manage > Authentication > Identity Providers > OAuth 2.0.

  4. Set Integrate Oauth 2.0 users and groups with Prisma Cloud to Enabled.

  5. Set Identity provider to OpenShift.

  6. Set Client ID to the name of the OAuth client you set up in OpenShift.

  7. Set Client secret to the secret in the OAuth client you set up in OpenShift.

  8. Set Auth URL to https://github.com/login/oauth/authorize.

  9. Set Token URL to https://github.com/login/oauth/access_token.

  10. In User Info API URL, enter the TCP endpoint for the OpenShift API server. For example, https://openshift.default.svc.cluster.local.

  11. Click Save.

3. Prisma Cloud to OpenShift user identity mappings

Create a Prisma Cloud user for every OpenShift user that should have access to Prisma Cloud.

After the user is authenticated, Prisma Cloud uses the access token to query OpenShift for the user’s information (user name, email). The user information returned from OpenShift is compared against the Prisma Cloud Console database to determine if the user is authorized. If so, a JWT token is returned.

  1. Go to Manage > Authentication > Users.

  2. Click Add User.

  3. Set Username to the OpenShift user name.

  4. Set Auth method to OAuth.

  5. Select a role for the user.

  6. Click Save.

  7. Test logging into Prisma Cloud Console.

    1. Logout of Prisma Cloud.

    2. On the login page, select OAuth, and then click Login.

      oauth2 login
    3. Authorize the Prisma Cloud OAuth App to sign you in.

      oauth2 github authorization

3.1. Prisma Cloud to OpenShift group mappings

Use groups to streamline how Prisma Cloud roles are assigned to users. When you use groups to assign roles, you don’t have to create individual Prisma Cloud accounts for each user.

Groups can be associated and authenticated with by multiple identity providers.

  1. Go to Manage > Authentication > Groups.

  2. Click Add Group.

  3. In Name, enter an OpenShift group name.

  4. In Authentication method, select External Providers.

  5. In Authentication Providers, select OAuth group.

  6. Select a role for the members of the group.

  7. Click Save.

  8. Test logging into Prisma Cloud Console.

    1. Logout of Prisma Cloud.

    2. On the login page, select OAuth, and then click Login.

      oauth2 login
    3. Authorize the Prisma Cloud OAuth App to sign you in.