Integrate with Azure Active Directory via SAML 2.0 federation

Many organizations use SAML to authenticate users for web services. Prisma Cloud supports the SAML 2.0 federation protocol to access Prisma Cloud Console. When SAML support is enabled, users can log into Console with their federated credentials. This article provides detailed steps for federating your Prisma Cloud Console with your Azure Active Directory (AAD) tenant’s Identity Provider (IdP).
The Prisma Cloud/Azure Active Directory SAML federation flow works as follows:
  1. Users browse to Prisma Cloud Console.
  2. Their browsers are redirected to the AAD SAML 2.0 endpoint.
  3. They enter their AAD credentials to authenticate. Multi-factor authentication can be enforced at this step.
  4. An AAD SAML token is returned to Prisma Cloud Console.
  5. Prisma Cloud Console validates the Azure Active Directory SAML token’s signature and associates the user to their Prisma Cloud account via user identity mapping or group membership. Prisma Cloud supports SAML groups for Azure Active Directory federation.
The Azure Portal may change the Enterprise Application SAML federation workflow over time. The concepts and steps outlined in this document can be applied to any Non-gallery application.
The Prisma Cloud Console is integrated with Azure Active Directory as a federated SAML Enterprise Application. The steps to set up the integration are:

Configure Azure Active Directory

Configure Azure Active Directory.
Prerequisites:
  • Required Azure Active Directory SKU: Premium
  • Required Azure Active Directory role: Global Administrator
  1. Log onto your Azure Active Directory tenant (https://portal.azure.com).
  2. On the top left of the window pane, click
    + New Application
    .
  3. Select
    Non-gallery application
    , from the Add your own app section.
  4. In the Name field, enter
    jdong-console
    , then click
    Add
    . In this example I am using "jdong-console"
  5. On the jdong-console menu select Single sign-on and choose SAML
    1. Identifier:
      jdong-console
      (Set to your Console’s unique Audience value. You will configure this value within your Console at a later step.)
    2. Reply URL:
      https://<FQDN_of_your_Prisma Cloud_Console>:8083/api/v1/authenticate
      .
  6. Select the Azure AD user attribute that will be used as the user account name within Prisma Cloud. This will be the NameID claim within the SAML response token. We recommend using the default value.
    1. Unique User Identifier (Name ID):
      user.userprincipalname [nameid-format:emailAddress]
      Even if you are using AAD Groups to assign access to Prisma Cloud set this value.
    1. Select
      Download: Certificate (Base64)
    2. Select the Pen icon.
    3. Set Signing Option:
      Sign SAML Response and Asertion
  7. Save the value of of Login URL and Azure AD Identifier. We will use these later for configuration in the Prisma Cloud Console.
  8. Copy the Application ID. You can find this going to Properties tab in the Manage section of the application.
  9. Click on Users and Groups within the Manage section of the application. Add the users and/or groups that will have the right to authenticate to Prisma Cloud Console.

Prisma Cloud User to AAD User Identity mapping

If you plan to map Azure Active Directory users to Prisma Cloud accounts go to Configure Prisma Cloud Console.

Prisma Cloud Groups to AAD Group mapping

When you use Azure Active Directory Groups to map to Prisma Cloud SAML Group, do not create users in Prisma Cloud Console. Configure the AAD SAML application to send AAD group membership (http://schemas.microsoft.com/ws/2008/06/identity/claims/groups) claims within the SAML response token. If you enable AAD Group authentication the Prisma Cloud User to AAD User Identity method of authentication will be ignored.
  1. Set Application permissions:
    1. Under the Manage section, go to API Permissions
    2. Click on
      Add a Permission
    3. Click on
      Microsoft Graph
    4. Select permissions:
      Application Permissions: Application.Read.All
    5. Click Grant admin consent for Default Directory within the Configured permissions blade.
  2. Create Application Secret
    1. Under the Manage section, go to Certificates & secrets
    2. Click on
      New Client secret
    3. Expires:
      Never
    4. Click Add
    5. Make sure to save the secret value that is generated before closing the blade.
  3. Configure the application to send group claims within the SAML response token.
    You can configure this setting either within the Azure portal or via powershell.
    1. Azure AD Portal:
      1. Click
        Manifest
      2. Set
        "groupMembershipClaims": "SecurityGroup"
      3. Click
        Save
    2. Powershell:
      1. Use the Azure AD powershell commandlet Set-AzureADApplication to configure the application.
      2. Run the following powershell commands:
        import-module AzureAD Connect-AzureAD $twistlock = Get-AzureADApplication | where-object {$_.DisplayName -eq "jdong-console"} $oid = $twistlock.ObjectId Set-AzureADApplication -ObjectID $oid -GroupMembershipClaims 1
      3. Confirm that the GroupMembershipClaims has been set to SecurityGroup
        $twistlock = Get-AzureADApplication | where-object {$_.DisplayName -eq "jdong-console"} $twistlock.GroupMembershipClaims
        Allow several minutes for these permissions to propagate within AAD.

Configure Prisma Cloud Console

Configure Prisma Cloud Console.
  1. Log into Prisma Cloud Console as an administrator.
  2. Go to
    Manage > Authentication > Identity Providers > SAML
    .
  3. Set
    Integrate SAML users and groups with Prisma Cloud
    to
    Enabled
    .
    1. Set
      Identity Provider
      to
      Azure
      .
    2. In
      Identity provider single sign-on URL
      , enter the Azure AD provided
      Login URL
      .
    3. In
      Identity provider issuer
      , enter the Azure AD provided
      Azure AD Identifier
      .
    4. In
      Audience
      , enter
      jdong-console
      .
    5. In
      Application ID
      , enter
      jdong-console’s AAD Application ID
      .
    6. In
      Tenant ID
      , enter
      AAD tenant ID that contains the jdong-console application
      .
    7. In
      Application Secret
      enter
      jdong-console application keys
      (only required if using AAD Groups).
    8. In
      X.509 certificate
      , paste the Azure AD SAML
      Signing Certificate Base64
      into this field.
  4. Click
    Save

Prisma Cloud User to AAD User Identity mapping

If you plan to map Azure Active Directory users to Prisma Cloud accounts perform the following steps.
  1. Go to
    Manage > Authentication > Users
    .
  2. Click
    Add user
    .
  3. Create a New User
    .
    1. Username
      : Azure Active Directory userprincipalname
    2. Auth Method
      : Select
      SAML
    3. Role
      : Select the appropriate role for the user
    4. Click
      Save
      .
  4. Test logging into Prisma Cloud Console via Azure Active Directory SAML federation.
    Leave your existing session logged onto Prisma Cloud Console in case you encounter issues. Open a new in-private browser and go to
    https://<FQDN_of_your_Prisma Cloud_Console>:8083
    .

Prisma Cloud Groups to AAD Group mapping

When you use AAD Groups to assign roles within Prisma Cloud you do not have to create a corresponding Prisma Cloud account.
  1. Go to
    Manage > Authentication > Groups
    .
  2. Click
    Add Group
    .
  3. Enter the display name of the AAD group.
  4. Click the
    SAML group
    radio button.
  5. Select the Prisma Cloud role for the group.
  6. Click
    Save
    Azure Active Directory SAML response will send the user’s group membership as OIDs and not the name of the group. When a group is added, Prisma Cloud Console will query the Microsoft Azure endpoints to determine the OID of the group entered. Ensure your Prisma Cloud Console is able to reach https://login.windows.net/ and https://graph.windows.net
  7. Test logging into Prisma Cloud Console via Azure Active Directory SAML federation.
    Leave your existing session logged into Prisma Cloud Console in case you encounter issues. Open a new incognito browser window and go to
    https://<CONSOLE>:8083
    .

Recommended For You