Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services via SAML 2.0 Federation

Many organizations use SAML to authenticate users for web services. Prisma Cloud supports the SAML 2.0 federation protocol for access to the Prisma Cloud Console. When SAML support is enabled, administrators can log into the Console with their federated credentials. This article provides detailed steps for federating your Prisma Cloud Console with your Active Directory Federation Service (ADFS) Identity Provider (IdP).
Prisma Cloud supports SAML 2.0 federation with Windows Server 2016 and Windows Server 2012r2 Active Directory Federation Services via the SAML protocol. The federated workflow is as follows:
  1. The user browses to the Prisma Cloud Console.
  2. The browser is redirected to ADFS SAML2.0 endpoint.
  3. The user authenticates either via Windows Integrated Authentication or Forms Based Authentication. Multi-factor authentication can be enforced at this step in the workflow.
  4. The ADFS SAML token is returned to the Prisma Cloud Console.
  5. The Prisma Cloud Console validates the ADFS SAML token’s signature and associates the user to their Prisma Cloud account.

Federation with Windows Server 2016 Active Directory Federation Services

The Prisma Cloud Console is integrated with ADFS as a federated SAML Relying Party Trust.
The Relying Party trust workflows may differ slightly between Windows Server 2016 and Windows Server 2012r2 ADFS, but the concepts are the same.

Configure Active Directory Federation Services

This guide assumes you have already deployed Active Directory Federation Services, and Active Directory is the claims provider for the service.
  1. Log onto your Active Directory Federation Services server.
  2. Go to
    Server Manager > Tools > AD FS Management
    to start the ADFS snap-in.
  3. Go to
    AD FS > Service > Certificates
    and click on the
    Primary Token-signing
    certificate.
  4. Select the Details tab, and click
    Copy to File…​
    .
  5. Save the certificate as a Base-64 encoded X.509 (.CER) file. You will upload this certificate into the Prisma Cloud console in a later step.
  6. Go to
    AD FS > Relying Party Trusts
    .
  7. Click
    Add Relying Party Trust
    from the
    Actions
    menu.
    1. Step Welcome: select
      Claims aware
      .
    2. Step Select Data Source: select
      Enter data about the relying party manually
      .
    3. Step Specify Display Name: In
      Display Name
      , enter
      twistlock Console
      .
    4. Step Configure Certificate: leave blank.
    5. Step Configure URL: select
      Enable support for the SAML 2.0 WebSSO protocol
      . Enter the URL for your Prisma Cloud Console
      https://<FQDN_TWISTLOCK_CONSOLE>:8083/api/v1/authenticate/
      .
    6. Step Configure Identifiers: for example enter
      twistlock
      all lower case and click
      Add
      .
    7. Step Choose Access Control Policy: this is where you can enforce multi-factor authentication for Prisma Cloud Console access. For this example, select
      Permit everyone
      .
    8. Step Ready to Add Trust: no changes, click
      Next
      .
    9. Step Finish: select
      Configure claims issuance policy for this application
      then click
      Close
      .
    10. In the Edit Claim Issuance Policy for Prisma Cloud Console click
      Add Rule
      .
    11. Step Choose Rule Type: In
      Claim rule template
      , select
      Send LDAP Attributes as Claims
      .
    12. Step Configure Claim Rule:
      • Set
        Claim rule name
        to
        Prisma Cloud Console
      • Set
        Attribute Store
        to
        Active Directory
      • In
        Mapping of LDAP attributes to outgoing claim types
        , set the
        LDAP Attribute
        to
        SAM-Account-Name
        and
        Outgoing claim type
        to
        Name ID
        .
        The user’s Active Directory attribute returned in the claim must match the Prisma Cloud user’s name. In this example we are using the samAccountName attribute.
    13. Click
      Finish
      .
  8. Configure ADFS to either sign the SAML response (
    -SamlResponseSignature MessageOnly
    ) or the SAML response and assertion (
    -SamlResponseSignature MessageAndAssertion
    ) for the Prisma Cloud Console relying party trust. For example to configure the ADFS to only sign the response, start an administrative PowerShell session and run the following command:
    set-adfsrelyingpartytrust -TargetName "Prisma Cloud Console" -SamlResponseSignature MessageOnly

Active Directory group membership within SAML response

You can use Active Directory group membership to assign users to Prisma Cloud roles. When a user’s group membership is sent in the SAML response, Prisma Cloud attempts to associate the user’s group to a Prisma Cloud role. If there is no group association, Prisma Cloud matches the user to an identity based on the NameID to Prisma Cloud username mapping. The SAML group to Prisma Cloud role association
does not require
the creation of a Prisma Cloud user. Therefore simplify the identity management required for your implementation of Prisma Cloud.
  1. In
    Relying Party Trusts
    , select the
    Prisma Cloud Console
    trust.
  2. Click
    Edit Claim Issuance Policy
    in the right hand
    Actions
    pane.
  3. Click
    Add Rule
    .
  4. Claim rule template:
    Send Claims Using a Custom Rule
    .
  5. Click
    Next
    .
  6. Claim rule name:
    Prisma Cloud Groups
    .
  7. Paste the following claim rule into the
    Custom rule
    field:
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("groups"), query = ";tokenGroups;{0}", param = c.Value);

Configure the Prisma Cloud Console

Configure the Prisma Cloud Console.
  1. Login to the Prisma Cloud Console as an administrator.
  2. Go to
    Manage > Authentication > SAML
    .
  3. Under
    SAML settings
    :
    1. Integrate SAML users and groups with Prisma Cloud
      :
      Enabled
      .
    2. Identity Provider
      :
      ADFS
      .
    3. Identity provider single sign-on URL
      : Enter your SAML Single Sign-On Service URL. For example
      https://FQDN_of_your_adfs/adfs/ls
      .
    4. Identity provider issuer
      : Enter your SAML Entity ID, which can be retrieved from
      ADFS > Service > Federation Service Properties : Federation Service Identifier
      .
    5. Audience
      : Enter the ADFS Relying Party identifier
      twistlock
    6. X.509 certificate
      : paste the ADFS
      Token Signing Certificate Base64
      into this field.
  4. Click
    Save
    .
  5. Go to
    Manage > Authentication > Users
    .
  6. Click
    Add user
    .
    1. Username
      : Active Directory
      samAccountName
      must match the value returned in SAML token’s Name ID attribute.
      When federating with ADFS Prisma Cloud usernames are case insensitive. All other federation IdPs are case sensitive.
    2. Auth method
      : set to
      SAML
      .
    3. Role
      : select an appropriate role.
  7. Click
    Save
    .

Active Directory group membership mapping to Prisma Cloud role

Associate a user’s Active Directory group membership to a Prisma Cloud role.
  1. Go to
    Manage > Authentication > Groups
    .
  2. Click
    Add group
    .
  3. Group Name
    matches the
    Active Directory group name
    .
  4. Select the
    SAML group
    radio button.
  5. Assign the
    Role
    .
    The SAML group to Prisma Cloud role association
    does not require
    the creation of a Prisma Cloud user.
  6. Test login into the Prisma Cloud Console via ADFS SAML federation.
    Leave your existing session logged onto the Prisma Cloud Console in case you encounter issues. Open a new in-private browser and go to https://<FQDN_TWISTLOCK_CONSOLE>:8083.

Troubleshooting

There is a little trial and error when configuring federation. If you misconfigure the SAML integration parameters in Prisma Cloud Console, you might get locked out from your Prisma Cloud admin account. When you try to log into the Prisma Cloud Console to fix the configuration, you might be redirected to the ADFS login page.
The Prisma Cloud Console provides the ability to logon with a local database account when SAML integration is enabled. An example of a Prisma Cloud user is the default admin account created when you first install Prisma Cloud.
To login with a Prisma Cloud user account when SAML is enabled, add the URL fragment /#!/login to Console’s address. For example:
https://<CONSOLE_IPADDR | HOSTNAME>:8083/#!/login
Regular SAML users should log in with the address to Console’s front page:
https://<CONSOLE_IPADDR | HOSTNAME>:8083

Recommended For You