Integrate with Active Directory

Prisma Cloud can integrate with Active Directory (AD), an enterprise identity directory service.
If your AD environment uses alternative UPN suffixes (also referred to as explicit UPNs), see Non-default UPN suffixes to understand how to use them with Prisma Cloud.
After integrating Prisma Cloud with AD, you can control access to Docker Engine, Docker Swarm, and Kubernetes based on AD group memberships. Note that ldap group names are case sensitive in Prisma Cloud.
With AD integration, you can:
  • Re-use the identities and groups already set up in Active Directory.
  • Extend your organization’s access control logic to the management of Docker containers.
For example, you could specify that only members of the AD group Dev Ops Admins can start and stop containers in the production environment. For more information, see Access control for Docker Engine (RBAC).

Configuration options

The following configuration options are available:
Configuration option
Description
Enabled
Enables or disables integration with Active Directory.
In Console, use the slider to enable (ON) or disable (OFF) integration with AD.
By default, integration with AD is disabled.
URL
Specifies the path to your LDAP server, such as an Active Directory Domain Controller.
The format for the LDAP server path is:
<PROTOCOL>://<HOST>:<PORT> Where <PROTOCOL> can be ldap or ldaps. For an Active Directory Global Catalog server, use ldap.
For performance and redundancy, use a load balanced path.
Example: ldap://ldapserver.example.com:3268
Search Base
Specifies the search query base path for retrieving users from the directory.
Example: dc=example,dc=com
User identifier
User name format when authenticating
sAMAccountName = DOMAIN\sAMAccountName
userPrincipalName = user@ad.example.com
The Active Directory domain name must be provided when using sAMAccountName due to domain trust behavior.
Account UPN
Console Account UPN Specifies the username for the Prisma Cloud service account that has been set up to query Active Directory.
Specify the username with the User Principal Name (UPN) format:
<USERNAME>@<DOMAIN>
Account Password
Specifies the password for the Prisma Cloud service account.

Integrating Active Directory

Integrate Active Directory after you have installed Prisma Cloud.
  1. Open Console, then go to
    Manage > Authentication > LDAP
    .
  2. Set
    Integrate LDAP users and groups with Prisma Cloud
    to
    Enabled
    .
  3. Specify all the parameters for connecting to your Active Directory service.
    1. For
      Authentication
      type, select
      Active Directory
      .
    2. In
      Path to LDAP service
      , specify the path to your LDAP server.
      For example:
      ldap://ldapserver.example.com:3268
    3. In
      Search Base
      , specify the base path to the subtree that contains your users.
      For example:
      dc=example,dc=com
    4. In Service Account UPN and Service Account Password, specify the credentials for your service account.
      Specify the username in UPN format: <USERNAME>@<DOMAIN>
      For example, the account UPN format would be:
      twistlock_service@example.com
    5. If you connect to Active Directory with ldaps, paste your CA certificate (PEM format) in the CA Certificate field.
      This enables Prisma Cloud to validate the LDAPS certificate to prevent spoofing and man- in-the-middle attacks. If this field is left blank, Prisma Cloud will not perform validation of the LDAPS certificate.
  4. Click
    Save
    .

Adding Active Directory group to Prisma Cloud

In order to grant authentication to users in an Active Directory group, the AD group needs to be added in Prisma Cloud.
  • Navigate to
    Manage > Authentication > Groups
    and click on
    Add group
  • In the pop up window, enter the name of AD group and select
    LDAP group
    check box.
  • Grant a specific role to the group. Example:Admin. Note that all the members of the group will have this privilege in Prisma Cloud.

Verifying integration with Active Directory

To verify the integration with AD:
  1. Open Console.
  2. If you are logged into Console, log out.
  3. At Console’s login page, enter the UPN and password of an existing Active Directory user.
    If the log in is successful, you are directed to the view appropriate for the user’s role. For users with the User role, you are directed to a single page,
    Configure > Clients
    , from where you can download the certs required to access a Prisma Cloud-protected container environment.

What’s next?

After integrating AD with Prisma Cloud, you can:

Recommended For You