Many organizations use SAML to authenticate users for web services. Prisma Cloud supports the SAML 2.0 federation protocol to access Prisma Cloud Console. When SAML support is enabled, users can log into Console with their federated credentials. This article provides detailed steps for federating your Prisma Cloud Console with your Azure Active Directory (AAD) tenant’s Identity Provider (IdP).
The Prisma Cloud/Azure Active Directory SAML federation flow works as follows:
Users browse to Prisma Cloud Console.
Their browsers are redirected to the AAD SAML 2.0 endpoint.
They enter their AAD credentials to authenticate. Multi-factor authentication can be enforced at this step.
An AAD SAML token is returned to Prisma Cloud Console.
Prisma Cloud Console validates the Azure Active Directory SAML token’s signature and associates the user to their Prisma Cloud account via user identity mapping or group membership. Prisma Cloud supports SAML groups for Azure Active Directory federation.
|The Azure Portal may change the Enterprise Application SAML federation workflow over time. The concepts and steps outlined in this document can be applied to any Non-gallery application.|
The Prisma Cloud Console is integrated with Azure Active Directory as a federated SAML Enterprise Application. The steps to set up the integration are:
Configure Azure Active Directory.
Required Azure Active Directory SKU: Premium
Required Azure Active Directory role: Global Administrator
Log onto your Azure Active Directory tenant (https://portal.azure.com).
Go to Azure Active Directory > Enterprise Applications
On the top left of the window pane, click + New Application.
Select Non-gallery application, from the Add your own app section.
In the Name field, enter jdong-console, then click Add. In this example I am using "jdong-console"
On the jdong-console menu select Single sign-on and choose SAML
Section #1 Basic SAML Configuration:
Identifier: jdong-console (Set to your Console’s unique Audience value. You will configure this value within your Console at a later step.)
Reply URL: https://<FQDN_of_your_Prisma Cloud_Console>:8083/api/v1/authenticate.
Section #2 User Attributes & Claims:
Select the Azure AD user attribute that will be used as the user account name within Prisma Cloud. This will be the NameID claim within the SAML response token. We recommend using the default value.
Unique User Identifier (Name ID): user.userprincipalname [nameid-format:emailAddress]
|Even if you are using AAD Groups to assign access to Prisma Cloud set this value.|
Section #3 SAML Signing Certificate:
Select Download: Certificate (Base64)
Select the Pen icon.
Set Signing Option: Sign SAML Response and Asertion
Section #4 Set up jdong_console:
Save the value of of Login URL and Azure AD Identifier. We will use these later for configuration in the Prisma Cloud Console.
Copy the Application ID. You can find this going to Properties tab in the Manage section of the application.
Click on Users and Groups within the Manage section of the application. Add the users and/or groups that will have the right to authenticate to Prisma Cloud Console.