1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Access control
    6. Integrate with Azure Active Directory via SAML 2.0 Federation
    End-of-Life (EoL)

    Integrate with Azure Active Directory via SAML 2.0 Federation

    Many organizations use SAML to authenticate users for web services. Prisma Cloud supports the SAML 2.0 federation protocol to access Prisma Cloud Console. When SAML support is enabled, administrators can log into the Console with their federated credentials. This article provides detailed steps for federating your Prisma Cloud Console with your Azure Active Directory (AAD) tenant’s Identity Provider (IdP).
    The Prisma Cloud / Azure Active Directory SAML federation workflow is as follows:
    1. The user browses to Prisma Cloud Console.
    2. The browser is redirected to the AAD SAML 2.0 endpoint.
    3. The user enters their AAD credentials.
    4. The AAD SAML token is returned to Prisma Cloud Console.
    5. The Prisma Cloud Console validates the Azure Active Directory SAML token’s signature and associates the user to their Prisma Cloud account via user identity mapping or group membership. Prisma Cloud supports SAML groups for Azure Active Directory federation.
    When Prisma Cloud is integrated with SAML, the logout button in Console works differently than expected. When you log out Prisma Cloud unregisters your token, but it does not log you out from your SAML provider (because users want to stay signed into their other apps). Instead, the token is removed and you are redirected back to the login page, which automatically signs you back into Console (assuming that you are still logged into the SAML provider). Logging out from Console, therefore, essentially refreshes your account information and group memberships.
    The Azure Portal may change the Enterprise Application SAML federation workflow over time. The concepts and steps outlined in this document can be applied to any Non-gallery application.

    Federation with Azure Active Directory

    The Prisma Cloud Console is integrated with Azure Active Directory as a federated SAML Enterprise Application.

    Configure Azure Active Directory

    Configure Azure Active Directory.
    Prerequisites:
    • Required Azure Active Directory SKU: Premium
    • Required Azure Active Directory role: Global Administrator
    1. Log onto your Azure Active Directory tenant (https://portal.azure.com).
    3. On the top left of the window pane, click
      + New Application
      .
    4. Select
      Non-gallery application
      , from the Add your own app section.
    5. In the Name field, enter
      jdong-console
      , then click
      Add
      . In this example I am using "jdong-console"
    6. On the jdong-console menu select Single sign-on and choose SAML
      1. Identifier:
        jdong-console
         (Set to your Console’s unique Audience value. You will configure this value within your Console at a later step.)
      2. Reply URL:
        https://<FQDN_of_your_Prisma Cloud_Console>:8083/api/v1/authenticate
        .
    8. Select the Azure AD user attribute that will be used as the user account name within Prisma Cloud. This will be the NameID claim within the SAML response token. We recommend using the default value.
      1. Unique User Identifier (Name ID):
        user.userprincipalname [nameid-format:emailAddress]
        Even if you are using AAD Groups to assign access to Prisma Cloud set this value.
      1. Select
        Download: Certificate (Base64)
      2. Select the Pen icon.
      3. Set Signing Option:
        Sign SAML Response and Asertion
    10. Save the value of of Login URL and Azure AD Identifier. We will use these later for configuration in the Prisma Cloud Console.
    11. Copy the Application ID. You can find this going to Properties tab in the Manage section of the application.
    12. Click on Users and Groups within the Manage section of the application. Add the users and/or groups that will have the right to authenticate to Prisma Cloud Console.

    Prisma Cloud User to AAD User Identity mapping

    If you plan to map Azure Active Directory users to Prisma Cloud accounts go to Configure Prisma Cloud Console.

    Prisma Cloud Groups to AAD Group mapping

    When you use Azure Active Directory Groups to map to Prisma Cloud SAML Group, do not create users in Prisma Cloud Console. Configure the AAD SAML application to send AAD group membership (http://schemas.microsoft.com/ws/2008/06/identity/claims/groups) claims within the SAML response token. If you enable AAD Group authentication the Prisma Cloud User to AAD User Identity method of authentication will be ignored.
    1. Set Application permissions:
      2. Under the Manage section, go to API Permissions
      3. Click on
        Add a Permission
      4. Click on
        Microsoft Graph
      5. Select permissions:
        Application Permissions: Application.Read.All
      7. Click Grant admin consent for Default Directory within the Configured permissions blade.
    2. Create Application Secret
      1. Under the Manage section, go to Certificates & secrets
      2. Click on
        New Client secret
      4. Expires:
        Never
      5. Click Add
      6. Make sure to save the secret value that is generated before closing the blade.
    3. Configure the application to send group claims within the SAML response token.
      You can configure this setting either within the Azure portal or via powershell.
      1. Azure AD Portal:
        2. Click
          Manifest
        3. Set
          "groupMembershipClaims": "SecurityGroup"
        4. Click
          Save
      2. Powershell:
        1. Use the Azure AD powershell commandlet Set-AzureADApplication to configure the application.
        2. Run the following powershell commands:
          import-module AzureAD
Connect-AzureAD
$twistlock = Get-AzureADApplication | where-object {$_.DisplayName -eq "jdong-console"}
$oid = $twistlock.ObjectId
Set-AzureADApplication -ObjectID $oid -GroupMembershipClaims 1
        3. Confirm that the GroupMembershipClaims has been set to SecurityGroup
          $twistlock = Get-AzureADApplication | where-object {$_.DisplayName -eq "jdong-console"}
$twistlock.GroupMembershipClaims
          Allow several minutes for these permissions to propagate within AAD.

    Configure Prisma Cloud Console

    Configure Prisma Cloud Console.
    1. Login to Prisma Cloud Console as an administrator.
      3. Identity provider single sign-on URL: Azure AD provided
        Login URL
        .
      4. Identity provider issuer: Azure AD provided
        Azure AD Identifier
        .
      5. Audience:
        jdong-console
        .
      6. Application ID:
        jdong-console’s AAD Application ID
        .
      7. Tenant ID:
        AAD tenant ID that contains the jdong-console application
        .
      8. Application Secret:
        jdong-console application keys
         (only required if using AAD Groups).
      9. X.509 certificate: Paste the Azure AD SAML
        Signing Certificate Base64
         into this field.
    2. Click
      Save

    Prisma Cloud User to AAD User Identity mapping

    If you plan to map Azure Active Directory users to Prisma Cloud accounts perform the following steps.
    2. Click Add user
      1. Username: Azure Active Directory userprincipalname
      2. Auth Method: Select
        SAML
      3. Role: Select the appropriate role for the user
      4. Click
        Save
        .
    4. Test logging into Prisma Cloud Console via Azure Active Directory SAML federation.
      Leave your existing session logged onto Prisma Cloud Console in case you encounter issues. Open a new in-private browser and go to
      https://<FQDN_of_your_Prisma Cloud_Console>:8083
      .

    Prisma Cloud Groups to AAD Group mapping

    When you use AAD Groups to assign roles within Prisma Cloud you do not have to create a corresponding Prisma Cloud account.
    2. Click Add Group
    3. Enter the displayname of the AAD group
    4. Click the SAML group radio button
    5. Select the Prisma Cloud role for the group
    6. Click
      Save
      Azure Active Directory SAML response will send the user’s group membership as OIDs and not the name of the group. When a group is added, Prisma Cloud Console will query the Microsoft Azure endpoints to determine the OID of the group entered. Ensure your Prisma Cloud Console is able to reach https://login.windows.net/ and https://graph.windows.net
    7. Test logging into Prisma Cloud Console via Azure Active Directory SAML federation.
      Leave your existing session logged into Prisma Cloud Console in case you encounter issues. Open a new in-private browser and goto
      https://<FQDN_of_your_Prisma Cloud_Console>:8083
      .

    Troubleshooting

    If you misconfigure the SAML integration parameters in Prisma Cloud Console, you might get locked out from your Prisma Cloud admin account. When you try logging into Prisma Cloud Console to fix the configuration, you might be redirected to the Azure Active Directory login page.
    The Prisma Cloud Console provides the ability to logon with a local database account when SAML integration is enabled. An example of a Prisma Cloud user is the default admin account created when you first install Prisma Cloud.
    To login with a Prisma Cloud user account when SAML is enabled, add the URL fragment /#!/login to Console’s address. For example:
    https://<CONSOLE_IPADDR | HOSTNAME>:8083/#!/login
    Regular SAML users should log in with the address to Console’s front page:
    https://<CONSOLE_IPADDR | HOSTNAME>:8083

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo