Integrate Prisma Cloud with Open ID Connect

OpenID Connect is an standard that extends OAuth 2.0 to add an identity layer. Prisma Cloud supports integration with any standard Open ID Connect (OIDC) provider that implements both OpenID connect core and OpenID connect discovery. Instructions for integrating with PingOne and Okta are shown here.
Prisma Cloud supports the authorization code flow only.

PingOne

Integrate with PingOne.
You need to configure Compute as an OIDC app. When configuring your app:
  • The Start SSO URL must point to https://<CONSOLE>:<PORT>/callback.
  • The Redirect URI must point to https://<CONSOLE>:<PORT>/api/v1/authenticate/callback/oidc.
  • UserInfo must include sub, idpid, name.
  • All of the following scopes must be included for OpenID: OpenID Connect (openid), OpenID profile, OpenID Email, OpenID address, OpenID Phone, Groups.

Update Ping callback URL

Update the callback URL.
  1. Log into the Ping web portal.
  2. Click
    Applications
    , and then click the
    OIDC
    tab.
  3. Click on the arrow button nest for your app.
  4. Click on the pencil icon on the right side.
  5. Click on
    Authentication Flow
    .
  6. In
    REDIRECT URIS
    , enter the callback URL:
    https://<CONSOLE>:<PORT>/api/v1/authenticate/callback/oidc
    .

Create new user and join to group

  1. In the Ping web portal, click
    Users
    , and then click the
    Users
    tab.
  2. Click
    Add users
    , and choose the
    Create New User
    option.
  3. Fill the fields for
    Password
    ,
    Username
    (should be your email),
    First Name
    ,
    Last Name
    , and
    Email
    .
  4. In the
    Membership
    field, click
    Add
    , and choose a group.
  5. Click
    Save
    .

Okta

Integrate with Okta.
  • Initiate Login URI (Okta) must point to https://<CONSOLE>:<PORT>/callback.
  • Redirect URI must point to https://<CONSOLE>:<PORT>/api/v1/authenticate/callback/oidc.
  • UserInfo must include sub, idpid, name.
  • Scopes:
    • All of the following scopes must be included for OpenID: OpenID Connect (openid), OpenID profile, OpenID Email, OpenID address, OpenID Phone, Groups.
    • All of the following scopes must be included for Okta: okta.groups.manage, okta.groups.read.

Update Okta callback URL

Update the callback URL.
  1. Log into Okta.
  2. Click on
    Applications
    and click on your application.
  3. Click the
    General
    tab, and then click
    Edit
    .
  4. Update
    Login redirect URIs
    . Enter the following callback URL:
    https://<CONSOLE>:<PORT>/api/v1/authenticate/callback/oidc
    , and then click
    Save
    .

Configure Prisma Cloud

Configure Prisma Cloud.
  1. Log into Prisma Cloud Console.
  2. Go to
    Manage > Authentication > Identity Providers > OpenID Connect
    .
  3. Enable OpenID Connect.
  4. Fill in the settings.
    1. For
      Client ID
      , enter the client ID.
    2. For
      Client Secret
      , enter the client secret.
    3. For
      Issuer URL
      , enter:
      https://sso.connect.pingidentity.com/<CLIENT_ID>
      .
    4. For
      Group scope
      , select
      groups
      .
    5. (Optional) Enter your certificate.
    6. Click
      Save
      .

Prisma Cloud to OIDC user identity mapping

Create a Prisma Cloud user for every user that should have access to Prisma Cloud. Prisma Cloud uses the sub attribute that comes from OIDC to match the username configured in the Prisma Cloud database (as required by the OIDC spec). Whichever value the provider is configured to send to Prisma Cloud should be used to configure users.
  1. Go to
    Manage > Authentication > Users
    .
  2. Click
    Add User
    .
  3. Set
    Username
    to the GitHub user name.
  4. Set
    Auth method
    to
    OpenID Connect
    .
  5. Select a role for the user.
  6. Click
    Save
    .
  7. Test logging into Prisma Cloud Console.
    1. Logout of Prisma Cloud.
    2. On the login page, select
      OpenID Connect
      , and then click
      Login
      .
    3. You’re redirected to your OIDC provider to authenticate.
    4. After successfully authenticating, you’re logged into Prisma Cloud Console.

Prisma Cloud to OIDC provider group mapping

When you use groups to assign roles in Prisma Cloud you don’t have to create individual Prisma Cloud accounts for each user. The group value configured on the Compute side should reflect the name of the group scope in the OIDC provider. It might be something different than groups.
Groups can be associated and authenticated with by multiple identity providers.
  1. Go to
    Manage > Authentication > Groups
    .
  2. Click
    Add Group
    .
  3. In
    Name
    , enter an OpenShift group name.
  4. In
    Authentication method
    , select
    External Providers
    .
  5. In
    Authentication Providers
    , select
    OpenID Connect group
    .
  6. Select a role for the members of the group.
  7. Click
    Save
    .
  8. Test logging into Prisma Cloud Console.
    1. Logout of Prisma Cloud.
    2. On the login page, select
      OpenID Connect
      , and then click
      Login
      .
    3. You’re redirected to your OIDC provider to authenticate.
    4. After successfully authenticating, you’re logged into Prisma Cloud Console.

Recommended For You