Integrate Prisma Cloud with OpenShift
OpenShift users can log into Prisma Cloud Console using OpenShift as an OAuth 2.0 provider.
The OpenShift master includes a built-in OAuth server.
You can integrate OpenShift authentication into Prisma Cloud.
When users attempt to access Prisma Cloud, which is a protected resource, they are redirected to authenticate with OpenShift.
After authenticating successfully, they are redirected back to Prisma Cloud Console with an OAuth token.
This token scopes what the user can do in OpenShift.
Prisma Cloud only needs the auth token to get the user’s info (e.g. user name, email), and check the Prisma Cloud database to see if this user is authorized.
If so, Prisma Cloud creates a JWT token, with a role claim, to complete the authentication process to Console.
Roles are assigned based on users and group information specified in Console.
The following diagram shows the login flow when the auth provider is LDAP.
With LDAP, users enter their credentials in Prisma Cloud Console, and Prisma authenticates with the LDAP server on the user’s behalf.
With all other auth providers, Prisma isn’t part of verifying the user credentials
Instead Prisma redirects the client to the auth provider for authentication.
Once the user successfully authenticates via the authentication provider, the client is redirected back to Prisma Cloud Console with an object (SAML assertion for SAML, JWT token for OIDC, Access token for OAuth 2.0) that proves a successful login or, in the OAuth 2.0 case, gives us access to the application to verify the user identity.
Prisma Cloud supports the authorization code flow only.
Integrate Prisma Cloud with OpenShift
Configure Prisma Cloud so that OpenShift users can log into Prisma Cloud with the same identity.
- In OpenShift, register Prisma Cloud as an OAuth client. Set the redirect URL to:https://<CONSOLE>:<PORT>/api/v1/authenticate/callback/oauth.
- Log into Prisma Cloud Console.
- Go toManage > Authentication > Identity Providers > OAuth 2.0.
- SetIntegrate Oauth 2.0 users and groups with Prisma CloudtoEnabled.
- SetIdentity providertoOpenShift.
- SetClient IDto thenameof the OAuth client you set up in OpenShift.
- SetClient secretto thesecretin the OAuth client you set up in OpenShift.
- SetAuth URLtohttps://github.com/login/oauth/authorize.
- SetToken URLtohttps://github.com/login/oauth/access_token.
- InUser Info API URL, enter the TCP endpoint for the OpenShift API server. For example,https://openshift.default.svc.cluster.local.
- ClickSave.
Prisma Cloud to OpenShift user identity mappings
Create a Prisma Cloud user for every OpenShift user that should have access to Prisma Cloud.
After the user is authenticated, Prisma Cloud uses the access token to query OpenShift for the user’s information (user name, email).
The user information returned from OpenShift is compared against the Prisma Cloud Console database to determine if the user is authorized.
If so, a JWT token is returned.
- Go toManage > Authentication > Users.
- ClickAdd User.
- SetUsernameto the OpenShift user name.
- SetAuth methodtoOAuth.
- Select a role for the user.
- ClickSave.
- Test logging into Prisma Cloud Console.
- Logout of Prisma Cloud.
- On the login page, selectOAuth, and then clickLogin.
- Authorize the Prisma Cloud OAuth App to sign you in.
Prisma Cloud to OpenShift group mappings
Use groups to streamline how Prisma Cloud roles are assigned to users.
When you use groups to assign roles, you don’t have to create individual Prisma Cloud accounts for each user.
Groups can be associated and authenticated with by multiple identity providers.
- Go toManage > Authentication > Groups.
- ClickAdd Group.
- InName, enter an OpenShift group name.
- InAuthentication method, selectExternal Providers.
- InAuthentication Providers, selectOAuth group.
- Select a role for the members of the group.
- ClickSave.
- Test logging into Prisma Cloud Console.
- Logout of Prisma Cloud.
- On the login page, selectOAuth, and then clickLogin.
- Authorize the Prisma Cloud OAuth App to sign you in.
