1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Access control
    6. Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services via SAML 2.0 Federation
    End-of-Life (EoL)

    Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services via SAML 2.0 Federation

    Many organizations use SAML to authenticate users for web services. Prisma Cloud supports the SAML 2.0 federation protocol for access to the Prisma Cloud Console. When SAML support is enabled, administrators can log into the Console with their federated credentials. This article provides detailed steps for federating your Prisma Cloud Console with your Active Directory Federation Service (ADFS) Identity Provider (IdP).
    Prisma Cloud supports SAML 2.0 federation with Windows Server 2016 and Windows Server 2012r2 Active Directory Federation Services via the SAML protocol. The federated workflow is as follows:
    1. The user browses to the Prisma Cloud Console.
    2. The browser is redirected to ADFS SAML2.0 endpoint.
    3. The user authenticates either via Windows Integrated Authentication or Forms Based Authentication. Multi-factor authentication can be enforced at this step in the workflow.
    4. The ADFS SAML token is returned to the Prisma Cloud Console.
    5. The Prisma Cloud Console validates the ADFS SAML token’s signature and associates the user to their Prisma Cloud account.

    Federation with Windows Server 2016 Active Directory Federation Services

    The Prisma Cloud Console is integrated with ADFS as a federated SAML Relying Party Trust.
    The Relying Party trust workflows may differ slightly between Windows Server 2016 and Windows Server 2012r2 ADFS, but the concepts are the same.

    Configure Active Directory Federation Services

    This guide assumes you have already deployed Active Directory Federation Services, and Active Directory is the claims provider for the service.
    1. Log onto your Active Directory Federation Services server.
    2. Go to
      Server Manager > Tools > AD FS Management
       to start the ADFS snap-in.
    3. Go to
      AD FS > Service > Certificates
       and click on the
      Primary Token-signing
       certificate.
    4. Select the Details tab, and click
      Copy to File…​
      .
    5. Save the certificate as a Base-64 encoded X.509 (.CER) file. You will upload this certificate into the Prisma Cloud console in a later step.
    6. Go to
      AD FS > Relying Party Trusts
      .
    7. Click
      Add Relying Party Trust
       from the
      Actions
       menu.
      1. Step Welcome: select
        Claims aware
        .
      2. Step Select Data Source: select
        Enter data about the relying party manually
        .
      3. Step Specify Display Name: In
        Display Name
        , enter
        twistlock Console
        .
      4. Step Configure Certificate: leave blank.
      5. Step Configure URL: select
        Enable support for the SAML 2.0 WebSSO protocol
        . Enter the URL for your Prisma Cloud Console
        https://<FQDN_TWISTLOCK_CONSOLE>:8083/api/v1/authenticate/
        .
      6. Step Configure Identifiers: for example enter
        twistlock
         all lower case and click
        Add
        .
      7. Step Choose Access Control Policy: this is where you can enforce multi-factor authentication for Prisma Cloud Console access. For this example, select
        Permit everyone
        .
      8. Step Ready to Add Trust: no changes, click
        Next
        .
      9. Step Finish: select
        Configure claims issuance policy for this application
         then click
        Close
        .
      10. In the Edit Claim Issuance Policy for Prisma Cloud Console click
        Add Rule
        .
      11. Step Choose Rule Type: In
        Claim rule template
        , select
        Send LDAP Attributes as Claims
        .
      12. Step Configure Claim Rule:
        • Set
          Claim rule name
           to
          Prisma Cloud Console
        • Set
          Attribute Store
           to
          Active Directory
        • In
          Mapping of LDAP attributes to outgoing claim types
          , set the
          LDAP Attribute
           to
          SAM-Account-Name
           and
          Outgoing claim type
           to
          Name ID
          .
          The user’s Active Directory attribute returned in the claim must match the Prisma Cloud user’s name. In this example we are using the samAccountName attribute.
      13. Click
        Finish
        .
    8. Configure ADFS to either sign the SAML response (-SamlResponseSignature MessageOnly) or the SAML response and assertion (-SamlResponseSignature MessageAndAssertion) for the Prisma Cloud Console relying party trust. For example to configure the ADFS to only sign the response, start an administrative PowerShell session and run the following command:
      set-adfsrelyingpartytrust -TargetName "Prisma Cloud Console" -SamlResponseSignature MessageOnly

    Active Directory group membership within SAML response

    You can use Active Directory group membership to assign users to Prisma Cloud roles. When a user’s group membership is sent in the SAML response, Prisma Cloud attempts to associate the user’s group to a Prisma Cloud role. If there is no group association, Prisma Cloud matches the user to an identity based on the NameID to Prisma Cloud username mapping. The SAML group to Prisma Cloud role association does not require the creation of a Prisma Cloud user. Therefore simplify the identity management required for your implementation of Prisma Cloud.
    1. In
      Relying Party Trusts
      , select the
      Prisma Cloud Console
       trust.
    2. Click
      Edit Claim Issuance Policy
       in the right hand
      Actions
       pane.
    3. Click
      Add Rule
      .
    4. Claim rule template:
      Send Claims Using a Custom Rule
      .
    5. Click
      Next
      .
    6. Claim rule name:
      Prisma Cloud Groups
      .
    7. Paste the following claim rule into the Custom rule field:
      c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("groups"), query = ";tokenGroups;{0}", param = c.Value);

    Configure the Prisma Cloud Console

    Configure the Prisma Cloud Console.
    1. Login to the Prisma Cloud Console as an administrator.
    2. Go to
      Manage > Authentication > SAML
      .
    3. Under
      SAML settings
      :
      1. Integrate SAML users and groups with Prisma Cloud
        :
        Enabled
        .
      2. Identity Provider
        :
        ADFS
        .
      3. Identity provider single sign-on URL
        : Enter your SAML Single Sign-On Service URL. For example
        https://FQDN_of_your_adfs/adfs/ls
        .
      4. Identity provider issuer
        : Enter your SAML Entity ID, which can be retrieved from
        ADFS > Service > Federation Service Properties : Federation Service Identifier
        .
      5. Audience
        : Enter the ADFS Relying Party identifier
        twistlock
      6. X.509 certificate
        : paste the ADFS
        Token Signing Certificate Base64
         into this field.
    4. Click
      Save
      .
    5. Go to
      Manage > Authentication > Users
      .
    6. Click
      Add user
      .
      1. Username
        : Active Directory samAccountName must match the value returned in SAML token’s Name ID attribute.
        When federating with ADFS Prisma Cloud usernames are case insensitive. All other federation IdPs are case sensitive.
      2. Auth method
        : set to
        SAML
        .
      3. Role
        : select an appropriate role.
    7. Click
      Save
      .

    Active Directory group membership mapping to Prisma Cloud role

    Associate a user’s Active Directory group membership to a Prisma Cloud role.
    1. Go to
      Manage > Authentication > Groups
      .
    2. Click
      Add group
      .
    3. Group Name matches the
      Active Directory group name
      .
    4. Select the
      SAML group
       radio button.
    5. Assign the
      Role
      .
      The SAML group to Prisma Cloud role association does not require the creation of a Prisma Cloud user.
    6. Test login into the Prisma Cloud Console via ADFS SAML federation.
      Leave your existing session logged onto the Prisma Cloud Console in case you encounter issues. Open a new in-private browser and go to https://<FQDN_TWISTLOCK_CONSOLE>:8083.

    Troubleshooting

    There is a little trial and error when configuring federation. If you misconfigure the SAML integration parameters in Prisma Cloud Console, you might get locked out from your Prisma Cloud admin account. When you try to log into the Prisma Cloud Console to fix the configuration, you might be redirected to the ADFS login page.
    The Prisma Cloud Console provides the ability to logon with a local database account when SAML integration is enabled. An example of a Prisma Cloud user is the default admin account created when you first install Prisma Cloud.
    To login with a Prisma Cloud user account when SAML is enabled, add the URL fragment /#!/login to Console’s address. For example:
    https://<CONSOLE_IPADDR | HOSTNAME>:8083/#!/login
    Regular SAML users should log in with the address to Console’s front page:
    https://<CONSOLE_IPADDR | HOSTNAME>:8083

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo