1. Overview

Many organizations use SAML to authenticate users for web services. Prisma Cloud supports the SAML 2.0 federation protocol for access to the Prisma Cloud Console. When SAML support is enabled, users can log into Console with their federated credentials. This article provides detailed steps for federating your Prisma Cloud Console with your Active Directory Federation Service (ADFS) Identity Provider (IdP).

Prisma Cloud supports SAML 2.0 federation with Windows Server 2016 and Windows Server 2012r2 Active Directory Federation Services via the SAML protocol. The federation flow works as follows:

  1. Users browse to Prisma Cloud Console.

  2. Their browsers are redirected to the ADFS SAML 2.0 endpoint.

  3. Users authenticate either with Windows Integrated Authentication or Forms Based Authentication. Multi-factor authentication can be enforced at this step.

  4. An ADFS SAML token is returned to Prisma Cloud Console.

  5. Prisma Cloud Console validates the SAML token’s signature and associates the user to their Prisma Cloud account via user identity mapping or group membership.

Prisma Cloud Console is integrated with ADFS as a federated SAML Relying Party Trust.

The Relying Party trust workflows may differ slightly between Windows Server 2016 and Windows Server 2012r2 ADFS, but the concepts are the same.

2. Configure Active Directory Federation Services

This guide assumes you have already deployed Active Directory Federation Services, and Active Directory is the claims provider for the service.

  1. Log onto your Active Directory Federation Services server.

  2. Go to Server Manager > Tools > AD FS Management to start the ADFS snap-in.

  3. Go to AD FS > Service > Certificates and click on the Primary Token-signing certificate.

  4. Select the Details tab, and click Copy to File…​.

    adfs saml 1
  5. Save the certificate as a Base-64 encoded X.509 (.CER) file. You will upload this certificate into the Prisma Cloud console in a later step.

  6. Go to AD FS > Relying Party Trusts.

  7. Click Add Relying Party Trust from the Actions menu.

    1. Step Welcome: select Claims aware.

      adfs saml 2
    2. Step Select Data Source: select Enter data about the relying party manually.

      adfs saml 3
    3. Step Specify Display Name: In Display Name, enter twistlock Console.

      adfs saml 4
    4. Step Configure Certificate: leave blank.

    5. Step Configure URL: select Enable support for the SAML 2.0 WebSSO protocol. Enter the URL for your Prisma Cloud Console https://<FQDN_TWISTLOCK_CONSOLE>:8083/api/v1/authenticate/.