1. Overview

Prisma Cloud supports SAML federation with Azure Active Directory.

When you use Azure Active Directory Groups to map to Prisma Cloud SAML Group, do not create users in Prisma Cloud Console. Configure the AAD SAML application to send AAD group membership (http://schemas.microsoft.com/ws/2008/06/identity/claims/groups) claims within the SAML response token. If you enable AAD Group authentication the Prisma Cloud User to AAD User Identity method of authentication will be ignored.

Azure Active Directory SAML response will send the user’s group membership as OIDs and not the name of the group. When a group is added, Prisma Cloud Console will query the Microsoft Azure endpoints to determine the OID of the group entered. Ensure your Prisma Cloud Console is able to reach https://login.windows.net/ and https://graph.windows.net

2. Troubleshooting Scripts

The following scripts are to help troubleshoot where the issue resides if you receive an error when trying to add an AAD group name within the Console’s Manage > Authentication > Groups.

These scripts are written in Powershell and require version 6 or greater Powershell and require version 6 or greater.

Feel free to port to your language of choice.

3. Query all Azure AD groups

# ID of the AAD Tenant Properties 'Directory ID'
$Tenant="<AAD_tenant_ID>"
# Twistlock SAML Application ID
$ClientID="<Console_SAML_appliation_ID>"
# Generated Secret for the Application
$ClientSecret="<Console_SAML_application_ID_secret_token>"

#Get the Access Token
$Token = Invoke-RestMethod -Uri https://login.windows.net/$tenant/oauth2/token?api-version=1.0 -Method Post -Body @{"grant_type" = "client_credentials"; "resource" = "https://graph.windows.net"; "client_id" = $ClientID; "client_secret" = $ClientSecret}
$access_Token = $Token.access_token
write-host $RestURI
$RestURI="https://graph.windows.net/$Tenant/groups?api-version=1.6"
$Headers = @{"Authorization" = "Bearer " + $access_Token}

#Submit Request
$Request = Invoke-RestMethod -Method GET -Headers $Headers -ContentType "Content-Type: application/json" -Uri $RestURI

write-host $Request
write-host $Request.value.Count
write-host $Request.value
write-host "-------"

# Write out all the groups found and their objectIDs
$i = 0
foreach ($group in $Request.value)
    {
    write-host "----- $i -----"
    # Pull out the group information
    write-host $group.DisplayName
    write-host $group.objectID
    $i++
    }

4. Query for specific Azure AD group

# Query Azure AD to see if the group exists
# It performs that same AAD API calls that the Twistlock AAD group membership performs.
# Make sure you can talk to the AAD API endpoints https://login.windows.net and http://graph.windows.net

param ($arg1)
if (!$arg1)
    {
        write-host "Provide the AAD groupname/displayname as input"
        exit
    }

# ID of the AAD Tenant Properties 'Directory ID', use the ServicePrincipal values that were created when setting up AAD SAML federation
$Tenant="<AAD_tenant_ID>"
# Twistlock SAML Application ID
$ClientID="<Console_SAML_appliation_ID>"
# Generated Secret for the Application
$ClientSecret="<Console_SAML_application_ID_secret_token>"
# Group Name
$groupName = $arg1

#Get the Access Token
$Token = Invoke-RestMethod -Uri https://login.windows.net/$tenant/oauth2/token?api-version=1.0 -Method Post -Body @{"grant_type" = "client_credentials"; "resource" = "https://graph.windows.net"; "client_id" = $ClientID; "client_secret" = $ClientSecret}
$access_Token = $Token.access_token

$stringFilter = "$filter"
$RestURI="https://graph.windows.net/$Tenant/groups?api-version=1.6&`$filter=displayname eq '$groupName'"
$Headers = @{"Authorization" = "Bearer " + $access_Token}
write-host $RestURI
#Submit Request
$Request = Invoke-RestMethod -Method GET -Headers $Headers -ContentType "Content-Type: application/json" -Uri $RestURI

# Write out all the groups found and their objectIDs
$i = 0
foreach ($group in $Request.value)
    {
    write-host "----- $i -----"
    # Pull out the group information
    write-host $group.DisplayName
    write-host $group.objectID
    $i++
    }