Prisma Cloud Compute Edition Administrator’s Guide
    : Integrate Prisma Cloud with Open ID Connect
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Authentication
    6. Integrate Prisma Cloud with Open ID Connect
    Download PDF

    Prisma Cloud Compute Edition Administrator’s Guide

    Integrate Prisma Cloud with Open ID Connect

    Table of Contents
    End-of-Life (EoL)

    Integrate Prisma Cloud with Open ID Connect

    OpenID Connect is a standard that extends OAuth 2.0 to add an identity layer. Prisma Cloud supports integration with any standard Open ID Connect (OIDC) provider that implements both OpenID connect core and OpenID connect discovery. Prisma Cloud supports the authorization code flow only.
    This page includes instructions to integrate with the following providers:
    Use the
    https://<CONSOLE>:<PORT>/api/v1/authenticate/callback/oidc
     URL only to configure the integration between services. The API is not included in our reference guide because the URL is only enabled as a configuration value.

    PingOne

    Integrate with PingOne.
    You need to configure Compute as an OIDC app. When configuring your app:
    • The Start SSO URL must point to the
      https://<CONSOLE>:<PORT>/callback
       URL.
    • The Redirect URI must point to the
      https://<CONSOLE>:<PORT>/api/v1/authenticate/callback/oidc
       URL.
    • UserInfo must include sub, idpid, and name.
    • All of the following scopes must be included for OpenID.
      • OpenID Connect (openid)
      • OpenID profile
      • OpenID Email
      • OpenID address
      • OpenID Phone
      • Groups

    Update Ping callback URL

    Update the callback URL.
    1. Log into the Ping web portal.
    2. Click
      Applications
      , and then click the
      OIDC
       tab.
    3. Click on the arrow button nest for your app.
    4. Click on the pencil icon on the right side.
    5. Click on
      Authentication Flow
      .
    6. In
      REDIRECT URIS
      , enter the following URL to enable the service-to-service integration:
      https://<CONSOLE>:<PORT>/api/v1/authenticate/callback/oidc
      .

    Create new user and join to group

    1. In the Ping web portal, click
      Users
      , and then click the
      Users
       tab.
    2. Click
      Add users
      , and choose the
      Create New User
       option.
    3. Fill the fields for
      Password
      ,
      Username
       (should be your email),
      First Name
      ,
      Last Name
      , and
      Email
      .
    4. In the
      Membership
       field, click
      Add
      , and choose a group.
    5. Click
      Save
      .

    Okta

    Integrate with Okta.
    • Initiate Login URI (Okta) must point to
      https://<CONSOLE>:<PORT>/callback
      .
    • Redirect URI must point to the
      https://<CONSOLE>:<PORT>/api/v1/authenticate/callback/oidc
       URL.
    • UserInfo must include sub, idpid, name.
    • Scopes:
      • All of the following scopes must be included for OpenID: OpenID Connect (openid), OpenID profile, OpenID Email, OpenID address, OpenID Phone, Groups.
      • All of the following scopes must be included for Okta: okta.groups.manage, okta.groups.read.

    Update Okta callback URL

    Update the callback URL.
    1. Log into Okta.
    2. Click on
      Applications
       and click on your application.
    3. Click the
      General
       tab, and then click
      Edit
      .
    4. Update
      Login redirect URIs
      . Enter the following URL to enable the service-to-service integration:
      https://<CONSOLE>:<PORT>/api/v1/authenticate/callback/oidc
    5. Click
      Save
      .

    Configure Okta as an Identity Provider

    Configure Okta as an identity provider in Prisma Cloud with the following steps.
    1. Log into Prisma Cloud Console.
    2. Go to
      Manage > Authentication > Identity Providers > OpenID Connect
      .
    3. Enable OpenID Connect.
    4. Fill in the settings.
      1. For
        Client ID
        , enter the client ID.
      2. For
        Client Secret
        , enter the client secret.
      3. For
        Issuer URL
        , enter:
        https://sso.connect.pingidentity.com/<CLIENT_ID>
        .
      4. For
        Group scope
        , select
        groups
        .
      5. (Optional) Enter your certificate.
      6. Click
        Save
        .

    Azure Active Directory (AD)

    To integrate with Azure Active Directory (AD), you must register Prisma Cloud as an Open ID Connect (OIDC) application in Azure and configure Azure AD as an identity provider in Prisma Cloud.
    2. Find the Azure AD service.
    3. Click the
      app registration
       button and select
      New registration
    4. Enter a name and select
      Accounts in this organizational directory only
       as the supported account type.
    5. Under
      Redirect URI
       select
      Web console URL
       enter the following URL to enable the service-to-service integration:
      https://<CONSOLE>:<PORT>/api/v1/authenticate/callback/oidc
    6. Click on
      Register the app
      .
    7. To add the secret for the client, go to
      certificates & secrets
      .
    8. Add a new secret for the client, copy and store it for later use.
      You can only view the value of the secret when you create it. Copy and store the secret safely for later use.

    Configure Groups in Azure AD

    1. To add the needed claim, go to
      Token Configuration
      .
      1. Select
        Add group claim
      2. Select the
        Groups assigned to the application
         option.
      3. Keep the default values and click
        Add
        .
      4. Click
        Add optional claim
         and select
        Token type - ID
        .
      5. Select the
        email
         and
        preferred_username
         claims.
      6. Turn on the Microsoft Graph email permission, while saving these claims.
    2. Go to the
      API permissions
       and click
      Add a permission
      .
      1. Under
        Microsoft API
         select
        Microsoft Graph
        .
      2. Select
        Delegated permissions
      3. Select
        email, openid, profile
        .
    3. To create the needed application group, go to
      Groups
       in the Azure AD console.
    4. Create a new group and keep the default values.

    Assign the Created Group to the Prisma Cloud Console

    1. Go to
      Enterprise applications
       in the Azure AD console.
    2. Find the application you registered.
    3. Click on
      Properties
       and check the
      Assignment required
       option.
    4. Click on
      Assign users and groups
      .
    5. Click add and select the previously created group.
    6. Click add and select your user.
    7. Go to
      App registrations
       in the Azure AD console.
    8. Click on
      Your owned registered app
      .
    9. Find the application you registered and click on
      Endpoints
      .
    10. Open the OpenID Connect metadata JSON file.
    11. Copy the value under Issuer URL from the JSON file, for example:
      https://login.microsoftonline.com/<TENANT_ID>/v2.0

    Configure Azure AD as an Identity Provider

    After you register Prisma Cloud as an Open ID Connect (OIDC) application in Azure, complete the following steps to configure Azure AD as an identity provider.
    1. Go to
      Manage > Authentication > Identity Providers
       in your Prisma Cloud Console.
    2. Enable OpenID Connect.
    3. Enter the following information in the settings fields.
      1. Client ID
        : Use the
        Application (Client) ID
         found in the Azure Console under
        Azure AD > App registrations > Overview
        .
      2. Client Secret
        : The secret for the client that you created for the application and stored safely for later use.
      3. Issuer URL
        : The endpoint of the application registered in Azure AD, for example
        https://login.microsoftonline.com/<TENANT_ID>/v2.0
      4. Group scope
        : Leave this field blank.
      5. Group claim
        : Set this field to groups. This allows Prisma Cloud to populate the specific group names automatically.
      6. User claim
        : The optional claim for the user. Set this field to preferred_username for group based OIDC authentication, it is used for the audit logs.
    4. Click
      Save
      .

    Prisma Cloud to OIDC user identity mapping

    If you intend to use the group mapping method, skip to the Prisma Cloud to OIDC provider group mapping task. Create a user for every user that should access Prisma Cloud. The Open ID Connect specification requires every username to match with a configured username in the Prisma Cloud database. Prisma Cloud uses attributes that come from OIDC to perform this match, for example you can use sub, username or email. You should use whichever value the provider is configured to send to Prisma Cloud when you configure users.
    1. Go to
      Manage > Authentication > Users
      .
    2. Click
      Add User
      .
    3. Set
      Username
       to the GitHub user name.
    4. Set
      Auth method
       to
      OpenID Connect
      .
    5. Select a role for the user.
    6. Click
      Save
      .
    7. Test logging into Prisma Cloud Console.
      1. Logout of Prisma Cloud.
      2. On the login page, select
        OpenID Connect
        , and then click
        Login
        .
      3. You’re redirected to your OIDC provider to authenticate.
      4. After successfully authenticating, you’re logged into Prisma Cloud Console.

    Prisma Cloud to OIDC provider group mapping

    When you use groups to assign roles in Prisma Cloud you don’t have to create individual Prisma Cloud accounts for each user. The group value configured on the Compute side should reflect the name of the group scope in the OIDC provider. It might be something different than groups.
    Groups can be associated and authenticated with by multiple identity providers. If you use Azure Active Directory (AAD), a user can’t be part of more than 200 groups at once.
    1. Go to
      Manage > Authentication > Groups
      .
    2. Click
      Add Group
      .
    3. In
      Name
      , enter an OpenShift group name. For AAD use Azure Group’s
      Object ID
       as the group name.
    4. In
      Authentication method
      , select
      External Providers
      .
    5. In
      Authentication Providers
      , select
      OpenID Connect group
      .
    6. Select a role for the members of the group.
    7. Click
      Save
      .
    8. Test logging into Prisma Cloud Console.
      1. Logout of Prisma Cloud.
      2. On the login page, select
        OpenID Connect
        , and then click
        Login
        .
      3. You’re redirected to your OIDC provider to authenticate.
      4. After successfully authenticating, you’re logged into Prisma Cloud Console.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.