End-of-Life (EoL)

Integrate with Azure Active Directory via SAML 2.0 federation

Many organizations use SAML to authenticate users for web services. Prisma Cloud supports the SAML 2.0 federation protocol to access the Prisma Cloud Console. When SAML authentication is enabled, users can log into the Console with their federated credentials. This article provides detailed steps for federating your Prisma Cloud Console with your Azure Active Directory (AAD) tenant’s Identity Provider.
The Prisma Cloud/Azure Active Directory SAML federation workflow is as follows:
  1. User browses to their Prisma Cloud Console.
  2. The user’s browser is redirected to the Azure Active Directory SAML 2.0 endpoint.
  3. The user enters their AAD credentials to authenticate. Multi-factor authentication can be enforced at this step.
  4. An AAD SAML token is returned to the user’s Prisma Cloud Console.
  5. Prisma Cloud Console validates the Azure Active Directory SAML token’s signature and associates the user to their Prisma Cloud account via user identity mapping or group membership. Prisma Cloud supports SAML groups for Azure Active Directory federation.
The Azure Portal may change the Enterprise Application SAML federation workflow over time. The concepts and steps outlined in this document can be applied to any Non-gallery application.
The Prisma Cloud Console is integrated with Azure Active Directory as a federated SAML Enterprise Application. The steps to set up the integration are:

Configure Azure Active Directory

  • Required Azure Active Directory SKU: Premium
  • Required Azure Active Directory role: Global Administrator
  1. Log onto your Azure Active Directory tenant (https://portal.azure.com)
  2. On the top left of the window pane, click
    + New Application
  3. Select
    + Create your own application
    on the top left of the window pane
  4. In the Name field enter
    , select the Integrate any other application you don’t find in the gallery (Non-gallery) radio button and then click
    . In this example I am using "Compute-Console" as the application’s identifier.
  5. The Compute-Console overview page will appear, select
    2. Single sign-on
    and then choose
    1. Identifier:
      Set to your Console’s unique Audience value. You will configure this value within your Prisma Cloud Console at a later step.
    2. Reply URL:
      https://<FQDN_of_your_Prisma Cloud_Console>:8083/api/v1/authenticate
  6. Select the Azure AD user attribute that will be used as the user account name within Prisma Cloud. This will be the NameID claim within the SAML response token. We recommend using the default value.
    1. Unique User Identifier (Name ID):
      user.userprincipalname [nameid-format:emailAddress]
      Even if you are using AAD Groups to assign access to Prisma Cloud set the NamedID claim.
    1. Select
      Download: Certificate (Base64)
    2. Select the edit icon
    3. Set Signing Option:
      Sign SAML Response and Asertion
  7. Save the value of of Login URL and Azure AD Identifier. You will use these values for the configuration of the Prisma Cloud Console in a later step.
  8. Copy the Application ID. You can find this within the Properties tab in the Manage section of the application.
  9. Click on 1. Assign users and groups within the Manage section of the application. Add the users and/or groups that will have the right to authenticate to Prisma Cloud Console.

Prisma Cloud User to AAD User identity mapping

If you plan to map Azure Active Directory users to Prisma Cloud user accounts go to Prisma Cloud User to AAD User identity association.

Prisma Cloud Groups to AAD Group mapping

When you use Azure Active Directory groups to map to Prisma Cloud SAML groups, do not create users in the Prisma Cloud Console. Configure the AAD SAML application to send group membership (http://schemas.microsoft.com/ws/2008/06/identity/claims/groups) claims within the SAML response token. When you enable AAD group authentication the Prisma Cloud user to AAD user identity method of association will be ignored.
When the Azure Active Directory SAML response returns a group claim it contains the user’s group OIDs as the values. When adding AAD groups within the Console using the group’s name the Console will perform a call to the Azure Active Directory API endpoint (https://graph.windows.net) to determine the OID of the group. Therefore you will need to configure the Console to query the Azure Active Directory API. For users whose group membership exceeds 150 groups the Console will have to perform an Azure Active Directory API call to query for the full group membership of the user. In this scenario it is recommended to use ApplicationGroups to emit only the groups that are explicitly assigned to the application and the user is a member of.
Prisma Cloud Compute version 21_08 and higher supports the scenerio in which the Console is unable to call the Azure Active Directory API. The AAD group’s OID is supplied as the OID value when configuring the Console’s SAML groups.
  1. Configure the application to send group claims within the SAML response token:
    1. Under Manage click Single sign-on
    2. Click the edit for section
      2. User Attributes & Claims
    3. Click
      Add a group claim
    4. Select the
      Security groups
      radio button
    5. Set Source attribute to
      Group ID