1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Authentication
    6. Integrate with Azure Active Directory via SAML 2.0 federation
    End-of-Life (EoL)

    Integrate with Azure Active Directory via SAML 2.0 federation

    Many organizations use SAML to authenticate users for web services. Prisma Cloud supports the SAML 2.0 federation protocol to access Prisma Cloud Console. When SAML support is enabled, users can log into Console with their federated credentials. This article provides detailed steps for federating your Prisma Cloud Console with your Azure Active Directory (AAD) tenant’s Identity Provider (IdP).
    The Prisma Cloud/Azure Active Directory SAML federation flow works as follows:
    1. Users browse to Prisma Cloud Console.
    2. Their browsers are redirected to the AAD SAML 2.0 endpoint.
    3. They enter their AAD credentials to authenticate. Multi-factor authentication can be enforced at this step.
    4. An AAD SAML token is returned to Prisma Cloud Console.
    5. Prisma Cloud Console validates the Azure Active Directory SAML token’s signature and associates the user to their Prisma Cloud account via user identity mapping or group membership. Prisma Cloud supports SAML groups for Azure Active Directory federation.
    The Azure Portal may change the Enterprise Application SAML federation workflow over time. The concepts and steps outlined in this document can be applied to any Non-gallery application.
    The Prisma Cloud Console is integrated with Azure Active Directory as a federated SAML Enterprise Application. The steps to set up the integration are:

    Configure Azure Active Directory

    Configure Azure Active Directory.
    Prerequisites:
    • Required Azure Active Directory SKU: Premium
    • Required Azure Active Directory role: Global Administrator
    1. Log onto your Azure Active Directory tenant (https://portal.azure.com).
    3. On the top left of the window pane, click
      + New Application
      .
    4. Select
      Non-gallery application
      , from the Add your own app section.
    5. In the Name field, enter
      jdong-console
      , then click
      Add
      . In this example I am using "jdong-console"
    6. On the jdong-console menu select Single sign-on and choose SAML
      1. Identifier:
        jdong-console
         (Set to your Console’s unique Audience value. You will configure this value within your Console at a later step.)
      2. Reply URL:
        https://<FQDN_of_your_Prisma Cloud_Console>:8083/api/v1/authenticate
        .
    8. Select the Azure AD user attribute that will be used as the user account name within Prisma Cloud. This will be the NameID claim within the SAML response token. We recommend using the default value.
      1. Unique User Identifier (Name ID):
        user.userprincipalname [nameid-format:emailAddress]
        Even if you are using AAD Groups to assign access to Prisma Cloud set this value.
      1. Select
        Download: Certificate (Base64)
      2. Select the Pen icon.
      3. Set Signing Option:
        Sign SAML Response and Asertion
    10. Save the value of of Login URL and Azure AD Identifier. We will use these later for configuration in the Prisma Cloud Console.
    11. Copy the Application ID. You can find this going to Properties tab in the Manage section of the application.
    12. Click on Users and Groups within the Manage section of the application. Add the users and/or groups that will have the right to authenticate to Prisma Cloud Console.

    Prisma Cloud User to AAD User Identity mapping

    If you plan to map Azure Active Directory users to Prisma Cloud accounts go to Configure Prisma Cloud Console.

    Prisma Cloud Groups to AAD Group mapping

    When you use Azure Active Directory Groups to map to Prisma Cloud SAML Group, do not create users in Prisma Cloud Console. Configure the AAD SAML application to send AAD group membership (http://schemas.microsoft.com/ws/2008/06/identity/claims/groups) claims within the SAML response token. If you enable AAD Group authentication the Prisma Cloud User to AAD User Identity method of authentication will be ignored.
    1. Set Application permissions:
      2. Under the Manage section, go to API Permissions
      3. Click on
        Add a Permission
      4. Click on
        Microsoft Graph
      5. Select permissions:
        Application Permissions: Application.Read.All
      7. Click Grant admin consent for Default Directory within the Configured permissions blade.
    2. Create Application Secret
      1. Under the Manage section, go to Certificates & secrets
      2. Click on
        New Client secret
      4. Expires:
        Never
      5. Click Add
      6. Make sure to save the secret value that is generated before closing the blade.
    3. Configure the application to send group claims within the SAML response token.
      You can configure this setting either within the Azure portal or via powershell.
      1. Azure AD Portal:
        2. Click
          Manifest
        3. Set
          "groupMembershipClaims": "SecurityGroup"
        4. Click
          Save
      2. Powershell:
        1. Use the Azure AD powershell commandlet Set-AzureADApplication to configure the application.
        2. Run the following powershell commands:
          import-module AzureAD
Connect-AzureAD
$twistlock = Get-AzureADApplication | where-object {$_.DisplayName -eq "jdong-console"}
$oid = $twistlock.ObjectId
Set-AzureADApplication -ObjectID $oid -GroupMembershipClaims 1
        3. Confirm that the GroupMembershipClaims has been set to SecurityGroup
          $twistlock = Get-AzureADApplication | where-object {$_.DisplayName -eq "jdong-console"}
$twistlock.GroupMembershipClaims
          Allow several minutes for these permissions to propagate within AAD.

    Configure Prisma Cloud Console

    Configure Prisma Cloud Console.
    1. Log into Prisma Cloud Console as an administrator.
    2. Go to
      Manage > Authentication > Identity Providers > SAML
      .
    3. Set
      Integrate SAML users and groups with Prisma Cloud
       to
      Enabled
      .
      1. Set
        Identity Provider
         to
        Azure
        .
      2. In
        Identity provider single sign-on URL
        , enter the Azure AD provided
        Login URL
        .
      3. In
        Identity provider issuer
        , enter the Azure AD provided
        Azure AD Identifier
        .
      4. In
        Audience
        , enter
        jdong-console
        .
      5. In
        Application ID
        , enter
        jdong-console’s AAD Application ID
        .
      6. In
        Tenant ID
        , enter
        AAD tenant ID that contains the jdong-console application
        .
      7. In
        Application Secret
         enter
        jdong-console application keys
         (only required if using AAD Groups).
      8. In
        X.509 certificate
        , paste the Azure AD SAML
        Signing Certificate Base64
         into this field.
    4. Click
      Save

    Prisma Cloud User to AAD User Identity mapping

    If you plan to map Azure Active Directory users to Prisma Cloud accounts perform the following steps.
    1. Go to
      Manage > Authentication > Users
      .
    2. Click
      Add user
      .
    3. Create a New User
      .
      1. Username
        : Azure Active Directory userprincipalname
      2. Auth Method
        : Select
        SAML
      3. Role
        : Select the appropriate role for the user
      4. Click
        Save
        .
    4. Test logging into Prisma Cloud Console via Azure Active Directory SAML federation.
      Leave your existing session logged onto Prisma Cloud Console in case you encounter issues. Open a new in-private browser and go to
      https://<FQDN_of_your_Prisma Cloud_Console>:8083
      .

    Prisma Cloud Groups to AAD Group mapping

    When you use AAD Groups to assign roles within Prisma Cloud you do not have to create a corresponding Prisma Cloud account.
    1. Go to
      Manage > Authentication > Groups
      .
    2. Click
      Add Group
      .
    3. Enter the display name of the AAD group.
    4. Click the
      SAML group
       radio button.
    5. Select the Prisma Cloud role for the group.
    6. Click
      Save
      Azure Active Directory SAML response will send the user’s group membership as OIDs and not the name of the group. When a group is added, Prisma Cloud Console will query the Microsoft Azure endpoints to determine the OID of the group entered. Ensure your Prisma Cloud Console is able to reach https://login.windows.net/ and https://graph.windows.net
    7. Test logging into Prisma Cloud Console via Azure Active Directory SAML federation.
      Leave your existing session logged into Prisma Cloud Console in case you encounter issues. Open a new incognito browser window and go to
      https://<CONSOLE>:8083
      .