Integrate Prisma Cloud with OpenShift

OpenShift users can log into Prisma Cloud Console using OpenShift as an OAuth 2.0 provider.
Prisma Cloud currently supports OpenShift Platform versions 4.5 and older as an OAuth 2.0 provider. We are working to add support for OpenShift versions 4.6 and later.
The OpenShift master includes a built-in OAuth server. You can integrate OpenShift authentication into Prisma Cloud. When users attempt to access Prisma Cloud, which is a protected resource, they are redirected to authenticate with OpenShift. After authenticating successfully, they are redirected back to Prisma Cloud Console with an OAuth token. This token scopes what the user can do in OpenShift. Prisma Cloud only needs the auth token to get the user’s info (e.g. user name, email), and check the Prisma Cloud database to see if this user is authorized. If so, Prisma Cloud creates a JWT token, with a role claim, to complete the authentication process to Console. Roles are assigned based on users and group information specified in Console.
The following diagram shows the login flow when the auth provider is LDAP. With LDAP, users enter their credentials in Prisma Cloud Console, and Prisma authenticates with the LDAP server on the user’s behalf. With all other auth providers, Prisma isn’t part of verifying the user credentials Instead Prisma redirects the client to the auth provider for authentication. Once the user successfully authenticates via the authentication provider, the client is redirected back to Prisma Cloud Console with an object (SAML assertion for SAML, JWT token for OIDC, Access token for OAuth 2.0) that proves a successful login or, in the OAuth 2.0 case, gives us access to the application to verify the user identity.
Prisma Cloud supports the authorization code flow only.

Integrate Prisma Cloud with OpenShift

Configure Prisma Cloud so that OpenShift users can log into Prisma Cloud with the same identity.
  1. In OpenShift, register Prisma Cloud as an OAuth client. Set the redirect URL to:
    https://<CONSOLE>:<PORT>/api/v1/authenticate/callback/oauth.
  2. Log into Prisma Cloud Console.
  3. Go to
    Manage > Authentication > Identity Providers > OAuth 2.0
    .
  4. Set
    Integrate Oauth 2.0 users and groups with Prisma Cloud
    to
    Enabled
    .
  5. Set
    Identity provider
    to
    OpenShift
    .
  6. Set
    Client ID
    to the
    name
    of the OAuth client you set up in OpenShift.
  7. Set
    Client secret
    to the
    secret
    in the OAuth client you set up in OpenShift.
  8. Set
    Auth URL
    to
    https://github.com/login/oauth/authorize
    .
  9. Set
    Token URL
    to
    https://github.com/login/oauth/access_token
    .
  10. In
    User Info API URL
    , enter the TCP endpoint for the OpenShift API server. For example,
    https://openshift.default.svc.cluster.local
    .
  11. Click
    Save
    .

Prisma Cloud to OpenShift user identity mappings

Create a Prisma Cloud user for every OpenShift user that should have access to Prisma Cloud.
After the user is authenticated, Prisma Cloud uses the access token to query OpenShift for the user’s information (user name, email). The user information returned from OpenShift is compared against the Prisma Cloud Console database to determine if the user is authorized. If so, a JWT token is returned.
  1. Go to
    Manage > Authentication > Users
    .
  2. Click
    Add User
    .
  3. Set
    Username
    to the OpenShift user name.
  4. Set
    Auth method
    to
    OAuth
    .
  5. Select a role for the user.
  6. Click
    Save
    .
  7. Test logging into Prisma Cloud Console.
    1. Logout of Prisma Cloud.
    2. On the login page, select
      OAuth
      , and then click
      Login
      .
    3. Authorize the Prisma Cloud OAuth App to sign you in.

Prisma Cloud to OpenShift group mappings

Use groups to streamline how Prisma Cloud roles are assigned to users. When you use groups to assign roles, you don’t have to create individual Prisma Cloud accounts for each user.
Groups can be associated and authenticated with by multiple identity providers.
  1. Go to
    Manage > Authentication > Groups
    .
  2. Click
    Add Group
    .
  3. In
    Name
    , enter an OpenShift group name.
  4. In
    Authentication method
    , select
    External Providers
    .
  5. In
    Authentication Providers
    , select
    OAuth group
    .
  6. Select a role for the members of the group.
  7. Click
    Save
    .
  8. Test logging into Prisma Cloud Console.
    1. Logout of Prisma Cloud.
    2. On the login page, select
      OAuth
      , and then click
      Login
      .
    3. Authorize the Prisma Cloud OAuth App to sign you in.

Recommended For You