1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Authentication
    6. Integrate Prisma Cloud with Open ID Connect
    End-of-Life (EoL)

    Integrate Prisma Cloud with Open ID Connect

    OpenID Connect is an standard that extends OAuth 2.0 to add an identity layer. Prisma Cloud supports integration with any standard Open ID Connect (OIDC) provider that implements both OpenID connect core and OpenID connect discovery. Instructions for integrating with PingOne and Okta are shown here.
    Prisma Cloud supports the authorization code flow only.

    PingOne

    Integrate with PingOne.
    You need to configure Compute as an OIDC app. When configuring your app:
    • The Start SSO URL must point to https://<CONSOLE>:<PORT>/callback.
    • The Redirect URI must point to https://<CONSOLE>:<PORT>/api/v1/authenticate/callback/oidc.
    • UserInfo must include sub, idpid, name.
    • All of the following scopes must be included for OpenID: OpenID Connect (openid), OpenID profile, OpenID Email, OpenID address, OpenID Phone, Groups.

    Update Ping callback URL

    Update the callback URL.
    1. Log into the Ping web portal.
    2. Click
      Applications
      , and then click the
      OIDC
       tab.
    3. Click on the arrow button nest for your app.
    4. Click on the pencil icon on the right side.
    5. Click on
      Authentication Flow
      .
    6. In
      REDIRECT URIS
      , enter the callback URL:
      https://<CONSOLE>:<PORT>/api/v1/authenticate/callback/oidc
      .

    Create new user and join to group

    1. In the Ping web portal, click
      Users
      , and then click the
      Users
       tab.
    2. Click
      Add users
      , and choose the
      Create New User
       option.
    3. Fill the fields for
      Password
      ,
      Username
       (should be your email),
      First Name
      ,
      Last Name
      , and
      Email
      .
    4. In the
      Membership
       field, click
      Add
      , and choose a group.
    5. Click
      Save
      .

    Okta

    Integrate with Okta.
    • Initiate Login URI (Okta) must point to https://<CONSOLE>:<PORT>/callback.
    • Redirect URI must point to https://<CONSOLE>:<PORT>/api/v1/authenticate/callback/oidc.
    • UserInfo must include sub, idpid, name.
    • Scopes:
      • All of the following scopes must be included for OpenID: OpenID Connect (openid), OpenID profile, OpenID Email, OpenID address, OpenID Phone, Groups.
      • All of the following scopes must be included for Okta: okta.groups.manage, okta.groups.read.

    Update Okta callback URL

    Update the callback URL.
    1. Log into Okta.
    2. Click on
      Applications
       and click on your application.
    3. Click the
      General
       tab, and then click
      Edit
      .
    4. Update
      Login redirect URIs
      . Enter the following callback URL:
      https://<CONSOLE>:<PORT>/api/v1/authenticate/callback/oidc
      , and then click
      Save
      .

    Configure Prisma Cloud

    Configure Prisma Cloud.
    1. Log into Prisma Cloud Console.
    2. Go to
      Manage > Authentication > Identity Providers > OpenID Connect
      .
    3. Enable OpenID Connect.
    4. Fill in the settings.
      1. For
        Client ID
        , enter the client ID.
      2. For
        Client Secret
        , enter the client secret.
      3. For
        Issuer URL
        , enter:
        https://sso.connect.pingidentity.com/<CLIENT_ID>
        .
      4. For
        Group scope
        , select
        groups
        .
      5. (Optional) Enter your certificate.
      6. Click
        Save
        .

    Prisma Cloud to OIDC user identity mapping

    Create a Prisma Cloud user for every user that should have access to Prisma Cloud. Prisma Cloud uses the sub attribute that comes from OIDC to match the username configured in the Prisma Cloud database (as required by the OIDC spec). Whichever value the provider is configured to send to Prisma Cloud should be used to configure users.
    1. Go to
      Manage > Authentication > Users
      .
    2. Click
      Add User
      .
    3. Set
      Username
       to the GitHub user name.
    4. Set
      Auth method
       to
      OpenID Connect
      .
    5. Select a role for the user.
    6. Click
      Save
      .
    7. Test logging into Prisma Cloud Console.
      1. Logout of Prisma Cloud.
      2. On the login page, select
        OpenID Connect
        , and then click
        Login
        .
      3. You’re redirected to your OIDC provider to authenticate.
      4. After successfully authenticating, you’re logged into Prisma Cloud Console.

    Prisma Cloud to OIDC provider group mapping

    When you use groups to assign roles in Prisma Cloud you don’t have to create individual Prisma Cloud accounts for each user. The group value configured on the Compute side should reflect the name of the group scope in the OIDC provider. It might be something different than groups.
    Groups can be associated and authenticated with by multiple identity providers.
    1. Go to
      Manage > Authentication > Groups
      .
    2. Click
      Add Group
      .
    3. In
      Name
      , enter an OpenShift group name.
    4. In
      Authentication method
      , select
      External Providers
      .
    5. In
      Authentication Providers
      , select
      OpenID Connect group
      .
    6. Select a role for the members of the group.
    7. Click
      Save
      .
    8. Test logging into Prisma Cloud Console.
      1. Logout of Prisma Cloud.
      2. On the login page, select
        OpenID Connect
        , and then click
        Login
        .
      3. You’re redirected to your OIDC provider to authenticate.
      4. After successfully authenticating, you’re logged into Prisma Cloud Console.