Integrate with PingFederate via SAML 2.0 federation
Many organizations use SAML to authenticate users for web services. Prisma Cloud supports the SAML 2.0 federation protocol to access the Prisma Cloud Console. When SAML support is enabled, users can log into the Console with their federated credentials. This article provides detailed steps for federating your Prisma Cloud Console with your PingFederate v8.4 Identity Provider (IdP).
The Prisma Cloud/PingFederate SAML federation flow works as follows:
- Users browse to Prisma Cloud Console.
- Their browsers are redirected to the PingFederate SAML 2.0 endpoint.
- They enter their credentials to authenticate. Multi-factor authentication can be enforced at this step.
- A PingFederate SAML token is returned to Prisma Cloud Console.
- Prisma Cloud Console validates the SAML token’s signature and associates the user to their Prisma Cloud account via user identity mapping or group membership.
Prisma Cloud Console is integrated with PingFederate as a federated SAML Service Provider. The steps to set up the integration are:
- Logon to PingFederate
- Go toIdP Configuration > SP Connection > Connection Type, and selectBrowser SSO.
- Go toIdP Configuration > SP Connection > Connection Options, and selectBrowser SSO Profiles SAML 2.0.
- Skip theImport Metadatatab.
- Go toIdP Configuration > SP Connection > General Info.
- InPartner’s Entity ID, entertwistlock.By default, the Partner’s Entity ID is "twistlock". When configuring the SAML Audience in the Prisma Cloud Console, the default value is "twistlock". If you choose a different value here, be sure to set the same value in your Console.
- InConnection Name, enterPrisma Cloud Console.
- InBrowser SSO > SAML Profiles, select bothIDP-INITIATED SSOandSP-INITIATED SSO.
- Go toAssertion Creationand setSAML_SUBJECTtoSAML 1.1 nameid-format.In this example you mapped the user’s email address to the SAML_SUBJECT attribute which matches the user’s Prisma Cloud account. If you are using group-to-Prisma Cloud-role associations, addgroupsto the list of attributes to be returned in the SAML token.
- InIdP Configuration > SP Connection > Browser SSO > Protocol Settings > Assertion