1. Overview

Many organizations use SAML to authenticate users for web services. Prisma Cloud supports the SAML 2.0 federation protocol to access the Prisma Cloud Console. When SAML support is enabled, administrators can log into Console with their federated credentials. This article provides detailed steps for federating your Prisma Cloud Console with Okta.

The Prisma Cloud/Okta SAML federation flow works as follows:

  1. Users browse to Prisma Cloud Console.

  2. Their browsers are redirected to the Okta SAML 2.0 endpoint.

  3. They enter their credentials to authenticate. Multi-factor authentication can be enforced at this step.

  4. A SAML token is returned to Prisma Cloud Console.

  5. Prisma Cloud Console validates the SAML token’s signature and associates the user to their Prisma Cloud account via user identity mapping or group membership.

Integrating Prisma Cloud with SAML consists of setting up your IdP, then configuring Prisma Cloud to integrate with it.

2. Setting up Prisma Cloud in Okta

Set up Prisma Cloud in Okta.

  1. Log into the Okta admin dashboard.

  2. On the right, click Add Applications.

    integrate saml 610130
  3. On the left, click Create new app.

    integrate saml 610131
  4. Select SAML 2.0, and then click Create.

    integrate saml 610135
  5. In the App name field, enter Prisma Cloud Console, then click Next.

    integrate saml 610136
  6. In the SAML Settings dialog:

    1. In the Single Sign On URL field, enter https://<CONSOLE_ADDR>:8083/api/v1/authenticate.

      Note that if you have changed the default port you use for the HTTPS listener, you’d need to adjust the URL here accordingly. Additionally, this URL must be visible from the Okta environment, so if you’re in a virtual network or behind a load balancer, it must be configured to forward traffic to this port and it’s address is what should be used here.

    2. Select Use this for Recipient URL and Destination URL.

    3. In the field for Audience Restriction, enter twistlock (all lowercase).

    4. Expand Advanced Settings.

    5. Verify that Response is set to Signed.

    6. Verify that Assertion Signature is set to Signed.

      integrate saml 610140
  7. (Optional) Add a group.

    Setting up groups is optional. If you set up group attribute statements, then permission to access Prisma Cloud is assessed at the group level. If you don’t set up group attribute statements, them permission to access Prisma Cloud is assessed at the user level.

    1. Scroll down to the GROUP ATTRIBUTE STATEMENTS section.

    2. In the Name field, enter groups.

    3. In filter drop down menu, select Regex and enter a regular expression that captures all the groups defined in Okta that you want to use for access control rules in Prisma Cloud.

      In this example, the regular expression .*(t|T)wistlock.* is used to include all groups prepended with either Prisma Cloud or twistlock. You should enter your own desired group name here. If you have just one group, such as YourGroup, then just enter YourGroup. Regular expressions are not required. If you have multiple groups, you can use a regular expressions, such as (group1|group2|group3).

      integrate saml 610146
  8. Click Next, and then click Finish.

    You are directed to a summary page for your new app.