Integrate with Azure Active Directory via SAML 2.0 federation

Many organizations use SAML to authenticate users for web services. Prisma Cloud supports the SAML 2.0 federation protocol to access the Prisma Cloud Console. When SAML authentication is enabled, users can log into the Console with their federated credentials. This article provides detailed steps for federating your Prisma Cloud Console with your Azure Active Directory (AAD) tenant’s Identity Provider.
The Prisma Cloud/Azure Active Directory SAML federation workflow is as follows:
  1. User browses to their Prisma Cloud Console.
  2. The user’s browser is redirected to the Azure Active Directory SAML 2.0 endpoint.
  3. The user enters their AAD credentials to authenticate. Multi-factor authentication can be enforced at this step.
  4. An AAD SAML token is returned to the user’s Prisma Cloud Console.
  5. Prisma Cloud Console validates the Azure Active Directory SAML token’s signature and associates the user to their Prisma Cloud account via user identity mapping or group membership. Prisma Cloud supports SAML groups for Azure Active Directory federation.
The Azure Portal may change the Enterprise Application SAML federation workflow over time. The concepts and steps outlined in this document can be applied to any Non-gallery application.
The Prisma Cloud Console is integrated with Azure Active Directory as a federated SAML Enterprise Application. The steps to set up the integration are:

Configure Azure Active Directory

Prerequisites:
  • Required Azure Active Directory SKU: Premium
  • Required Azure Active Directory role: Global Administrator
  1. Log onto your Azure Active Directory tenant (https://portal.azure.com)
  2. On the top left of the window pane, click
    + New Application
  3. Select
    + Create your own application
    on the top left of the window pane
  4. In the Name field enter
    Compute-Console
    , select the Integrate any other application you don’t find in the gallery (Non-gallery) radio button and then click
    Create
    . In this example I am using "Compute-Console" as the application’s identifier.
  5. The Compute-Console overview page will appear, select
    2. Single sign-on
    and then choose
    SAML
    1. Identifier:
      Compute-Console
      Set to your Console’s unique Audience value. You will configure this value within your Prisma Cloud Console at a later step.
    2. Reply URL:
      https://<FQDN_of_your_Prisma Cloud_Console>:8083/api/v1/authenticate
  6. Select the Azure AD user attribute that will be used as the user account name within Prisma Cloud. This will be the NameID claim within the SAML response token. We recommend using the default value.
    1. Unique User Identifier (Name ID):
      user.userprincipalname [nameid-format:emailAddress]
      Even if you are using AAD Groups to assign access to Prisma Cloud set the NamedID claim.
    1. Select
      Download: Certificate (Base64)
    2. Select the edit icon
    3. Set Signing Option:
      Sign SAML Response and Asertion
  7. Save the value of of Login URL and Azure AD Identifier. You will use these values for the configuration of the Prisma Cloud Console in a later step.
  8. Copy the Application ID. You can find this within the Properties tab in the Manage section of the application.
  9. Click on 1. Assign users and groups within the Manage section of the application. Add the users and/or groups that will have the right to authenticate to Prisma Cloud Console.

Prisma Cloud User to AAD User identity mapping

If you plan to map Azure Active Directory users to Prisma Cloud user accounts go to Prisma Cloud User to AAD User identity association.

Prisma Cloud Groups to AAD Group mapping

When you use Azure Active Directory groups to map to Prisma Cloud SAML groups, do not create users in the Prisma Cloud Console. Configure the AAD SAML application to send group membership (http://schemas.microsoft.com/ws/2008/06/identity/claims/groups) claims within the SAML response token. When you enable AAD group authentication the Prisma Cloud user to AAD user identity method of association will be ignored.
When the Azure Active Directory SAML response returns a group claim it contains the user’s group OIDs as the values. When adding AAD groups within the Console using the group’s name the Console will perform a call to the Azure Active Directory API endpoint (https://graph.windows.net) to determine the OID of the group. Therefore you will need to configure the Console to query the Azure Active Directory API. For users whose group membership exceeds 150 groups the Console will have to perform an Azure Active Directory API call to query for the full group membership of the user. In this scenario it is recommended to use ApplicationGroups to emit only the groups that are explicitly assigned to the application and the user is a member of.
Prisma Cloud Compute version 21_08 and higher supports the scenerio in which the Console is unable to call the Azure Active Directory API. The AAD group’s OID is supplied as the OID value when configuring the Console’s SAML groups.
  1. Configure the application to send group claims within the SAML response token:
    1. Under Manage click Single sign-on
    2. Click the edit for section
      2. User Attributes & Claims
    3. Click
      Add a group claim
    4. Select the
      Security groups
      radio button
    5. Set Source attribute to
      Group ID
  2. Assign the group to the application
    1. Under Manage click Users and groups
    2. Click
      + Add user/group
    3. Under Users and groups click
      None Selected
    4. Select the group to be used for authentication to the Console and click
      Select
    5. At the Add Assignment window click
      Assign
      If you plan not to use the Azure Active Directory API call functionality to determine the group’s OID based upon the supplied group name and/or scenarios in which a user’s group membership is greater than 150 groups go to Group mapping without calling Azure Active Directory API. Otherwise, continue with the following steps.

Add permissions to allow Prisma Cloud Console to query the Azure Active Directory API

Add permissions to allow Prisma Cloud Console to query the Azure Active Directory API.
  1. Set Application permissions:
    1. Under the Manage section, go to API Permissions
    2. Click on
      Add a Permission
    3. Click on
      Azure Active Directory Graph
    4. Select permissions:
      Application Permissions: Directory.Read.All
    5. Click Grant admin consent for Default Directory within the Configured permissions blade
  2. Create Application Secret
    1. Under the Manage section, go to Certificates & secrets
    2. Click on
      New client secret
    3. Expires:
      Never
    4. Click Add
    5. Make sure to save the secret value that is generated before closing the blade
      Allow several minutes for these permissions to propagate within AAD.
      Continue the configuration by going to Group mapping with calling Azure Active Directory API

Configure Prisma Cloud Console

Configure Prisma Cloud Compute Console.

Prisma Cloud User to AAD User identity association

Configure Prisma Cloud Console’s SAML settings for user identity based logon.
  1. Log into Prisma Cloud Console as an administrator
  2. Go to
    Manage > Authentication > Identity Providers > SAML
  3. Set
    SAML settings
    to
    Enabled
  4. Set
    Identity Provider
    to
    Azure
    1. In
      Provider alias
      enter an identifier for this SAML provider (e.g. AzureAD)
    2. In
      Identity provider single sign-on URL
      enter the Azure AD provided
      Login URL
    3. In
      Identity provider issuer
      enter the Azure AD provided
      Azure AD Identifier
    4. In
      Audience
      enter
      Compute-Console
    5. In
      X.509 certificate
      paste the Azure AD SAML
      Signing Certificate Base64
      into this field
  5. Click
    Save

Map an Azure Active Directory user to a Prisma Cloud account

Map an Azure Active Directory user to a Prisma Cloud account.
  1. Go to
    Manage > Authentication > Users
  2. Click
    Add user
  3. Create a New User
    1. Username
      : Azure Active Directory userprincipalname
    2. Auth Method
      : Select
      SAML
    3. Role
      : Select the appropriate role for the user
    4. Click
      Save

Group mapping without calling Azure Active Directory API

In this configuration the Console will not call the Azure Active Directory API to determine the group’s AAD OID based upon the group name supplied. If a user’s security group membership is greater than 150 groups and the Console is unable to perform the Azure Active Directory API query it is recommended to to use ApplicationGroups.
Configure Prisma Cloud Console’s SAML settings for group based logon.
  1. Log into Prisma Cloud Console as an administrator
  2. Go to
    Manage > Authentication > Identity Providers > SAML
  3. Set
    SAML settings
    to
    Enabled
  4. Set
    Identity Provider
    to
    Azure
    1. In
      Provider alias
      enter an identifier for this SAML provider (e.g. AzureAD)
    2. In
      Identity provider single sign-on URL
      enter the Azure AD provided
      Login URL
    3. In
      Identity provider issuer
      enter the Azure AD provided
      Azure AD Identifier
    4. In
      Audience
      enter
      Compute-Console
    5. In
      X.509 certificate
      paste the Azure AD SAML
      Signing Certificate Base64
      into this field
  5. Click
    Save

Assign the AAD group OID to a role

Assign the AAD group OID to a role.
  1. Go to
    Manage > Authentication > Groups
  2. Click
    Add Group
  3. Enter a display name for the group (e.g. AAD_SAML_admins)
  4. Select Authentication method
    External providers
  5. Enter the AAD OID of the group within the OID field
  6. Select the Prisma Cloud role for the group
  7. Click
    Save

Group mapping with calling Azure Active Directory API

Azure Active Directory SAML response will send the user’s group membership as OIDs and not the name of the group. When a group name is added, Prisma Cloud Console will query the Azure Active Directory API to determine the OID of the group entered. For users whose group membership exceeds 150 groups the Console will perform an Azure Active Directory API call to query for the full group membership of the user. Ensure your Prisma Cloud Console is able to reach the Azure Active Directory API endpoint (https://graph.windows.net).
  1. Log into Prisma Cloud Console as an administrator
  2. Go to
    Manage > Authentication > Identity Providers > SAML
  3. Set
    SAML settings
    to
    Enabled
  4. Set
    Identity Provider
    to
    Azure
    1. In
      Provider alias
      enter an identifier for this SAML provider (e.g. AzureAD)
    2. In
      Identity provider single sign-on URL
      enter the Azure AD provided
      Login URL
    3. In
      Identity provider issuer
      enter the Azure AD provided
      Azure AD Identifier
    4. In
      Audience
      enter
      Compute-Console
    5. Enter the
      Application ID
      of the Compute-Console AAD application
    6. Enter the
      Tenant ID
      of your Azure Active Directory
    7. Enter the
      Application Secret value
      for permission to Azure Active Directory API
    8. In
      X.509 certificate
      paste the Azure AD SAML
      Signing Certificate Base64
      into this field
  5. Click
    Save

Assign the AAD group name to a role

Assign the AAD group name to a role.
  1. Go to
    Manage > Authentication > Groups
  2. Click
    Add Group
  3. Enter the name of the AAD group
  4. Click the
    SAML group
    radio button
  5. Select the Prisma Cloud role for the group
  6. Click
    Save
    Test logging into Prisma Cloud Console via Azure Active Directory SAML federation. Leave your existing session logged into Prisma Cloud Console in case you encounter issues. Open a new incognito browser window and go to
    https://<CONSOLE>:8083
    and select SAML authentication method.

Recommended For You