1. Overview

OpenID Connect is an standard that extends OAuth 2.0 to add an identity layer. Prisma Cloud supports integration with any standard Open ID Connect (OIDC) provider that implements both OpenID connect core and OpenID connect discovery. Instructions for integrating with PingOne and Okta are shown here.

Prisma Cloud supports the authorization code flow only.

2. PingOne

Integrate with PingOne.

You need to configure Compute as an OIDC app. When configuring your app:

  • The Start SSO URL must point to https://<CONSOLE>:<PORT>/callback.

  • The Redirect URI must point to https://<CONSOLE>:<PORT>/api/v1/authenticate/callback/oidc.

  • UserInfo must include sub, idpid, name.

  • All of the following scopes must be included for OpenID: OpenID Connect (openid), OpenID profile, OpenID Email, OpenID address, OpenID Phone, Groups.

2.1. Update Ping callback URL

Update the callback URL.

  1. Log into the Ping web portal.

  2. Click Applications, and then click the OIDC tab.

  3. Click on the arrow button nest for your app.

  4. Click on the pencil icon on the right side.

  5. Click on Authentication Flow.

  6. In REDIRECT URIS, enter the callback URL:

    https://<CONSOLE>:<PORT>/api/v1/authenticate/callback/oidc.

2.2. Create new user and join to group

  1. In the Ping web portal, click Users, and then click the Users tab.

  2. Click Add users, and choose the Create New User option.

  3. Fill the fields for Password, Username (should be your email), First Name, Last Name, and Email.

  4. In the Membership field, click Add, and choose a group.

  5. Click Save.

3. Okta

Integrate with Okta.

  • Initiate Login URI (Okta) must point to https://<CONSOLE>:<PORT>/callback.

  • Redirect URI must point to https://<CONSOLE>:<PORT>/api/v1/authenticate/callback/oidc.

  • UserInfo must include sub, idpid, name.

  • Scopes:

    • All of the following scopes must be included for OpenID: OpenID Connect (openid), OpenID profile, OpenID Email, OpenID address, OpenID Phone, Groups.

    • All of the following scopes must be included for Okta: okta.groups.manage, okta.groups.read.

3.1. Update Okta callback URL

Update the callback URL.

  1. Log into Okta.

  2. Click on Applications and click on your application.

  3. Click the General tab, and then click Edit.

  4. Update Login redirect URIs. Enter the following callback URL:

    https://<CONSOLE>:<PORT>/api/v1/authenticate/callback/oidc, and then click Save.

3.2. Configure Prisma Cloud

Configure Prisma Cloud.

  1. Log into Prisma Cloud Console.

  2. Go to Manage > Authentication > Identity Providers > OpenID Connect.

  3. Enable OpenID Connect.

  4. Fill in the settings.

    1. For Client ID, enter the client ID.

    2. For Client Secret, enter the client secret.

    3. For Issuer URL, enter:

      https://sso.connect.pingidentity.com/<CLIENT_ID>.

    4. For Group scope, select groups.

    5. (Optional) Enter your certificate.

    6. Click Save.

4. Prisma Cloud to OIDC user identity mapping

Create a Prisma Cloud user for every user that should have access to Prisma Cloud. Prisma Cloud uses the sub attribute that comes from OIDC to match the username configured in the Prisma Cloud database (as required by the OIDC spec). Whichever value the provider is configured to send to Prisma Cloud should be used to configure users.

  1. Go to Manage > Authentication > Users.

  2. Click Add User.

  3. Set Username to the GitHub user name.

  4. Set Auth method to OpenID Connect.

  5. Select a role for the user.

  6. Click Save.

  7. Test logging into Prisma Cloud Console.

    1. Logout of Prisma Cloud.

    2. On the login page, select OpenID Connect, and then click Login.

      oidc login
    3. You’re redirected to your OIDC provider to authenticate.

    4. After successfully authenticating, you’re logged into Prisma Cloud Console.

5. Prisma Cloud to OIDC provider group mapping

When you use groups to assign roles in Prisma Cloud you don’t have to create individual Prisma Cloud accounts for each user. The group value configured on the Compute side should reflect the name of the group scope in the OIDC provider. It might be something different than groups.

Groups can be associated and authenticated with by multiple identity providers.

  1. Go to Manage > Authentication > Groups.

  2. Click Add Group.

  3. In Name, enter an OpenShift group name.

  4. In Authentication method, select External Providers.

  5. In Authentication Providers, select OpenID Connect group.

  6. Select a role for the members of the group.

  7. Click Save.

  8. Test logging into Prisma Cloud Console.

    1. Logout of Prisma Cloud.

    2. On the login page, select OpenID Connect, and then click Login.

      oidc login
    3. You’re redirected to your OIDC provider to authenticate.

    4. After successfully authenticating, you’re logged into Prisma Cloud Console.