Integrate with Azure Active Directory via SAML 2.0 federation
Many organizations use SAML to authenticate users for web services. Prisma Cloud supports the SAML 2.0 federation protocol to access the Prisma Cloud Console. When SAML authentication is enabled, users can log into the Console with their federated credentials. This article provides detailed steps for federating your Prisma Cloud Console with your Azure Active Directory (AAD) tenant’s Identity Provider.
The Prisma Cloud/Azure Active Directory SAML federation workflow is as follows:
- User browses to their Prisma Cloud Console.
- The user’s browser is redirected to the Azure Active Directory SAML 2.0 endpoint.
- The user enters their AAD credentials to authenticate. Multi-factor authentication can be enforced at this step.
- An AAD SAML token is returned to the user’s Prisma Cloud Console.
- Prisma Cloud Console validates the Azure Active Directory SAML token’s signature and associates the user to their Prisma Cloud account via user identity mapping or group membership. Prisma Cloud supports SAML groups for Azure Active Directory federation.
The Azure Portal may change the Enterprise Application SAML federation workflow over time. The concepts and steps outlined in this document can be applied to any Non-gallery application.
The Prisma Cloud Console is integrated with Azure Active Directory as a federated SAML Enterprise Application. The steps to set up the integration are:
Configure Azure Active Directory
- Required Azure Active Directory SKU: Premium
- Required Azure Active Directory role: Global Administrator
- Log onto your Azure Active Directory tenant (https://portal.azure.com)
- On the top left of the window pane, click+ New Application
- Select+ Create your own applicationon the top left of the window pane
- In the Name field enter