Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services (ADFS) via SAML 2.0 federation

Many organizations use SAML to authenticate users for web services. Prisma Cloud supports the SAML 2.0 federation protocol for access to the Prisma Cloud Console. When SAML support is enabled, users can log into Console with their federated credentials. This article provides detailed steps for federating your Prisma Cloud Console with your Active Directory Federation Service (ADFS) Identity Provider (IdP).
Prisma Cloud supports SAML 2.0 federation with Windows Server 2016 and Windows Server 2012r2 Active Directory Federation Services via the SAML protocol. The federation flow works as follows:
  1. Users browse to Prisma Cloud Console.
  2. Their browsers are redirected to the ADFS SAML 2.0 endpoint.
  3. Users authenticate either with Windows Integrated Authentication or Forms Based Authentication. Multi-factor authentication can be enforced at this step.
  4. An ADFS SAML token is returned to Prisma Cloud Console.
  5. Prisma Cloud Console validates the SAML token’s signature and associates the user to their Prisma Cloud account via user identity mapping or group membership.
Prisma Cloud Console is integrated with ADFS as a federated SAML Relying Party Trust.
The Relying Party trust workflows may differ slightly between Windows Server 2016 and Windows Server 2012r2 ADFS, but the concepts are the same.

Configure Active Directory Federation Services

This guide assumes you have already deployed Active Directory Federation Services, and Active Directory is the claims provider for the service.
  1. Log onto your Active Directory Federation Services server.
  2. Go to
    Server Manager > Tools > AD FS Management
    to start the ADFS snap-in.
  3. Go to
    AD FS > Service > Certificates
    and click on the
    Primary Token-signing
    certificate.
  4. Select the Details tab, and click
    Copy to File…​
    .
  5. Save the certificate as a Base-64 encoded X.509 (.CER) file. You will upload this certificate into the Prisma Cloud console in a later step.
  6. Go to
    AD FS > Relying Party Trusts
    .
  7. Click
    Add Relying Party Trust
    from the
    Actions
    menu.
    1. Step Welcome: select
      Claims aware
      .
    2. Step Select Data Source: select
      Enter data about the relying party manually
      .
    3. Step Specify Display Name: In
      Display Name
      , enter
      twistlock Console
      .
    4. Step Configure Certificate: leave blank.
    5. Step Configure URL: select
      Enable support for the SAML 2.0 WebSSO protocol
      . Enter the URL for your Prisma Cloud Console
      https://<FQDN_TWISTLOCK_CONSOLE>:8083/api/v1/authenticate/
      .
    6. Step Configure Identifiers: for example enter
      twistlock
      all lower case and click
      Add
      .
    7. Step Choose Access Control Policy: this is where you can enforce multi-factor authentication for Prisma Cloud Console access. For this example, select
      Permit everyone
      .
    8. Step Ready to Add Trust: no changes, click
      Next
      .
    9. Step Finish: select
      Configure claims issuance policy for this application
      then click
      Close
      .
    10. In the Edit Claim Issuance Policy for Prisma Cloud Console click
      Add Rule
      .
    11. Step Choose Rule Type: In
      Claim rule template
      , select
      Send LDAP Attributes as Claims
      .
    12. Step Configure Claim Rule:
      • Set
        Claim rule name
        to
        Prisma Cloud Console
      • Set
        Attribute Store
        to
        Active Directory
      • In
        Mapping of LDAP attributes to outgoing claim types
        , set the
        LDAP Attribute
        to
        SAM-Account-Name
        and
        Outgoing claim type
        to
        Name ID
        .
        The user’s Active Directory attribute returned in the claim must match the Prisma Cloud user’s name. In this example we are using the samAccountName attribute.
    13. Click
      Finish
      .
  8. Configure ADFS to either sign the SAML response (-SamlResponseSignature MessageOnly) or the SAML response and assertion (-SamlResponseSignature MessageAndAssertion) for the Prisma Cloud Console relying party trust. For example to configure the ADFS to only sign the response, start an administrative PowerShell session and run the following command:
    set-adfsrelyingpartytrust -TargetName "Prisma Cloud Console" -SamlResponseSignature MessageOnly
    Code copied to clipboard
    Unable to copy due to lack of browser support.

Active Directory group membership within SAML response

You can use Active Directory group membership to assign users to Prisma Cloud roles. When a user’s group membership is sent in the SAML response, Prisma Cloud attempts to associate the user’s group to a Prisma Cloud role. If there is no group association, Prisma Cloud matches the user to an identity based on the NameID to Prisma Cloud username mapping. The SAML group to Prisma Cloud role association does not require the creation of a Prisma Cloud user. Therefore simplify the identity management required for your implementation of Prisma Cloud.
  1. In
    Relying Party Trusts
    , select the
    Prisma Cloud Console
    trust.
  2. Click
    Edit Claim Issuance Policy
    in the right hand
    Actions
    pane.
  3. Click
    Add Rule
    .
  4. Claim rule template:
    Send Claims Using a Custom Rule
    .
  5. Click
    Next
    .
  6. Claim rule name:
    Prisma Cloud Groups
    .
  7. Paste the following claim rule into the Custom rule field:
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("groups"), query = ";tokenGroups;{0}", param = c.Value);
    Code copied to clipboard
    Unable to copy due to lack of browser support.

Configure the Prisma Cloud Console

Configure the Prisma Cloud Console.
  1. Login to the Prisma Cloud Console as an administrator.
  2. Go to
    Manage > Authentication > Identity Providers > SAML
    .
  3. Set
    Integrate SAML users and groups with Prisma Cloud
    to
    Enabled
    .
  4. Set
    Identity Provider
    to
    ADFS
    .
  5. In
    Identity provider single sign-on URL
    , enter your SAML Single Sign-On Service URL. For example
    https://FQDN_of_your_adfs/adfs/ls
    .
  6. In
    Identity provider issuer
    , enter your SAML Entity ID, which can be retrieved from
    ADFS > Service > Federation Service Properties : Federation Service Identifier
    .
  7. In
    Audience
    , enter the ADFS Relying Party identifier
    twistlock
  8. In
    X.509 certificate
    , paste the ADFS
    Token Signing Certificate Base64
    into this field.
  9. Click
    Save
    .
  10. Go to
    Manage > Authentication > Users
    .
  11. Click
    Add user
    .
    1. Username
      : Active Directory samAccountName must match the value returned in SAML token’s Name ID attribute.
      When federating with ADFS Prisma Cloud usernames are case insensitive. All other federation IdPs are case sensitive.
    2. Auth method
      : set to
      SAML
      .
    3. Role
      : select an appropriate role.
  12. Click
    Save
    .

Active Directory group membership mapping to Prisma Cloud role

Associate a user’s Active Directory group membership to a Prisma Cloud role.
  1. Go to
    Manage > Authentication > Groups
    .
  2. Click
    Add group
    .
  3. Group Name matches the
    Active Directory group name
    .
  4. Select the
    SAML group
    radio button.
  5. Assign the
    Role
    .
    The SAML group to Prisma Cloud role association does not require the creation of a Prisma Cloud user.
  6. Test login into the Prisma Cloud Console via ADFS SAML federation.
    Leave your existing session logged onto the Prisma Cloud Console in case you encounter issues. Open a new incognito browser window and go to https://<CONSOLE>:8083.

Recommended For You