Prisma Cloud Compute Edition Administrator’s Guide
    : Integrate with Azure Active Directory via SAML 2.0 federation
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Authentication
    6. Integrate with Azure Active Directory via SAML 2.0 federation
    Download PDF

    Prisma Cloud Compute Edition Administrator’s Guide

    Integrate with Azure Active Directory via SAML 2.0 federation

    Table of Contents

    Integrate with Azure Active Directory via SAML 2.0 federation

    Many organizations use SAML to authenticate users for web services. Prisma Cloud supports the SAML 2.0 federation protocol to access the Prisma Cloud Console. When SAML authentication is enabled, users can log into the Console with their federated credentials. This article provides detailed steps for federating your Prisma Cloud Console with your Azure Active Directory (AAD) tenant’s Identity Provider.
    The Prisma Cloud/Azure Active Directory SAML federation workflow is as follows:
    1. User browses to their Prisma Cloud Console.
    2. The user’s browser is redirected to the Azure Active Directory SAML 2.0 endpoint.
    3. The user enters their AAD credentials to authenticate. Multi-factor authentication can be enforced at this step.
    4. An AAD SAML token is returned to the user’s Prisma Cloud Console.
    5. Prisma Cloud Console validates the Azure Active Directory SAML token’s signature and associates the user to their Prisma Cloud account via user identity mapping or group membership. Prisma Cloud supports SAML groups for Azure Active Directory federation.
    The Azure Portal may change the Enterprise Application SAML federation workflow over time. The concepts and steps outlined in this document can be applied to any Non-gallery application.
    The Prisma Cloud Console is integrated with Azure Active Directory as a federated SAML Enterprise Application. The steps to set up the integration are:

    Configure Azure Active Directory

    Prerequisites:
    • Required Azure Active Directory SKU: Premium
    • Required Azure Active Directory role: Global Administrator
    1. Log onto your Azure Active Directory tenant (https://portal.azure.com)
    3. On the top left of the window pane, click
      + New Application
    4. Select
      + Create your own application
       on the top left of the window pane
    5. In the Name field enter
      Compute-Console
      , select the Integrate any other application you don’t find in the gallery (Non-gallery) radio button and then click
      Create
      . In this example I am using "Compute-Console" as the application’s identifier.
    6. The Compute-Console overview page will appear, select
      2. Single sign-on
       and then choose
      SAML
      1. Identifier:
        Compute-Console
         Set to your Console’s unique Audience value. You will configure this value within your Prisma Cloud Console at a later step.
      2. Reply URL:
        https://<FQDN_of_your_Prisma Cloud_Console>:8083/api/v1/authenticate
    8. Select the Azure AD user attribute that will be used as the user account name within Prisma Cloud. This will be the NameID claim within the SAML response token. We recommend using the default value.
      1. Unique User Identifier (Name ID):
        user.userprincipalname [nameid-format:emailAddress]
        Even if you are using AAD Groups to assign access to Prisma Cloud set the NamedID claim.
      1. Select
        Download: Certificate (Base64)
      2. Select the edit icon
      3. Set Signing Option:
        Sign SAML Response and Asertion
    10. Save the value of of Login URL and Azure AD Identifier. You will use these values for the configuration of the Prisma Cloud Console in a later step.
    11. Copy the Application ID. You can find this within the Properties tab in the Manage section of the application.
    12. Click on 1. Assign users and groups within the Manage section of the application. Add the users and/or groups that will have the right to authenticate to Prisma Cloud Console.

    Prisma Cloud User to AAD User identity mapping

    If you plan to map Azure Active Directory users to Prisma Cloud user accounts go to Prisma Cloud User to AAD User identity association.

    Prisma Cloud Groups to AAD Group mapping

    When you use Azure Active Directory groups to map to Prisma Cloud SAML groups, do not create users in the Prisma Cloud Console. Configure the AAD SAML application to send group membership (http://schemas.microsoft.com/ws/2008/06/identity/claims/groups) claims within the SAML response token. When you enable AAD group authentication the Prisma Cloud user to AAD user identity method of association will be ignored.
    Prisma Cloud Compute version 22_06 now uses the Microsoft Graph API
    When the Azure Active Directory SAML response returns a group claim it contains the user’s group OIDs as the values. When adding AAD groups within the Console using the group’s name the Console will perform a call to the Microsoft Graph API endpoint (https://graph.microsoft.com) to determine the OID of the group. Therefore you will need to configure the Console to query the Azure Active Directory API. For users whose group membership exceeds 150 groups the Console will have to perform an Microsoft Graph API call to query for the full group membership of the user. In this scenario it is recommended to use ApplicationGroups to emit only the groups that are explicitly assigned to the application and the user is a member of.
    Prisma Cloud Compute version 21_08 and higher supports the scenerio in which the Console is unable to call the Microsoft Graph API. The AAD group’s OID is supplied as the OID value when configuring the Console’s SAML groups.
    1. Configure the application to send group claims within the SAML response token:
      2. Under Manage click Single sign-on
      3. Click the edit for section
        2. User Attributes & Claims
      4. Click
        Add a group claim
      5. Select the
        Security groups
         radio button
      6. Set Source attribute to
        Group ID
    2. Assign the group to the application
      2. Under Manage click Users and groups
      3. Click
        + Add user/group
      4. Under Users and groups click
        None Selected
      5. Select the group to be used for authentication to the Console and click
        Select
      6. At the Add Assignment window click
        Assign
        If you plan not to use the Azure Active Directory API call functionality to determine the group’s OID based upon the supplied group name and/or scenarios in which a user’s group membership is greater than 150 groups go to Group mapping without calling Azure Active Directory API. Otherwise, continue with the following steps.

    Add permissions to allow Prisma Cloud Console to query the Azure Active Directory API

    Add these permissions to allow Prisma Cloud Console to query the Azure Active Directory API. These permissions are required in the following scenarios.
    • Your Azure Active Directory (AAD) has users that belong to more than 150 groups.
    • You add groups in the Prisma Cloud Console without their Object ID (OID).
    1. Set Application permissions:
      2. Under the Manage section, go to API Permissions
      3. Click on
        Add a Permission
      4. Click on
        Microsoft Graph
      5. Select permissions:
        Application Permissions: Directory.Read.All
      7. Click Grant admin consent for Default Directory within the Configured permissions blade
    2. Create Application Secret
      1. Under the Manage section, go to Certificates & secrets
      2. Click on
        New client secret
      4. Expires:
        Never
      5. Click Add
      6. Make sure to save the secret value that is generated before closing the blade
        Allow several minutes for these permissions to propagate within AAD.
        Continue the configuration by going to Group mapping with calling Azure Active Directory API

    Configure Prisma Cloud Console

    Configure Prisma Cloud Compute Console.

    Prisma Cloud User to AAD User identity association

    Configure Prisma Cloud Console’s SAML settings for user identity based logon.
    1. Log into Prisma Cloud Console as an administrator
    2. Go to
      Manage > Authentication > Identity Providers > SAML
    3. Set
      SAML settings
       to
      Enabled
    4. Set
      Identity Provider
       to
      Azure
      1. In
        Provider alias
         enter an identifier for this SAML provider (e.g. AzureAD)
      2. In
        Identity provider single sign-on URL
         enter the Azure AD provided
        Login URL
      3. In
        Identity provider issuer
         enter the Azure AD provided
        Azure AD Identifier
      4. In
        Audience
         enter
        Compute-Console
      5. In
        X.509 certificate
         paste the Azure AD SAML
        Signing Certificate Base64
         into this field
    5. Click
      Save

    Map an Azure Active Directory user to a Prisma Cloud account

    Map an Azure Active Directory user to a Prisma Cloud account.
    1. Go to
      Manage > Authentication > Users
    2. Click
      Add user
    3. Create a New User
      1. Username
        : Azure Active Directory userprincipalname
      2. Auth Method
        : Select
        SAML
      3. Role
        : Select the appropriate role for the user
      4. Click
        Save

    Group mapping without calling Azure Active Directory API

    In this configuration the Console will not call the Microsoft Graph API to determine the group’s AAD OID based upon the group name supplied. If a user’s security group membership is greater than 150 groups and the Console is unable to perform the Microsoft Graph API query it is recommended to to use ApplicationGroups.
    Configure Prisma Cloud Console’s SAML settings for group based logon.
    1. Log into Prisma Cloud Console as an administrator
    2. Go to
      Manage > Authentication > Identity Providers > SAML
    3. Set
      SAML settings
       to
      Enabled
    4. Set
      Identity Provider
       to
      Azure
      1. In
        Provider alias
         enter an identifier for this SAML provider (e.g. AzureAD)
      2. In
        Identity provider single sign-on URL
         enter the Azure AD provided
        Login URL
      3. In
        Identity provider issuer
         enter the Azure AD provided
        Azure AD Identifier
      4. In
        Audience
         enter
        Compute-Console
      5. In
        X.509 certificate
         paste the Azure AD SAML
        Signing Certificate Base64
         into this field
    5. Click
      Save

    Assign the AAD group OID to a role

    Assign the AAD group OID to a role.
    1. Go to
      Manage > Authentication > Groups
    2. Click
      Add Group
    3. Enter a display name for the group (e.g. AAD_SAML_admins)
    4. Select Authentication method
      External providers
    6. Enter the AAD OID of the group within the OID field
    7. Select the Prisma Cloud role for the group
    8. Click
      Save

    Group mapping with calling Azure Active Directory API

    Azure Active Directory SAML response will send the user’s group membership as OIDs and not the name of the group. When a group name is added, Prisma Cloud Console will query the Microsoft Graph API to determine the OID of the group entered. For users whose group membership exceeds 150 groups the Console will perform an Microsoft Graph API call to query for the full group membership of the user. Ensure your Prisma Cloud Console is able to reach the Microsoft Graph API endpoint (https://graph.microsoft.com).
    1. Log into Prisma Cloud Console as an administrator
    2. Go to
      Manage > Authentication > Identity Providers > SAML
    3. Set
      SAML settings
       to
      Enabled
    4. Set
      Identity Provider
       to
      Azure
      1. In
        Provider alias
         enter an identifier for this SAML provider (e.g. AzureAD)
      2. In
        Identity provider single sign-on URL
         enter the Azure AD provided
        Login URL
      3. In
        Identity provider issuer
         enter the Azure AD provided
        Azure AD Identifier
      4. In
        Audience
         enter
        Compute-Console
      5. Enter the
        Application ID
         of the Compute-Console AAD application
      6. Enter the
        Tenant ID
         of your Azure Active Directory
      7. Enter the
        Application Secret value
         for permission to Azure Active Directory API
      8. In
        X.509 certificate
         paste the Azure AD SAML
        Signing Certificate Base64
         into this field
    5. Click
      Save

    Assign the AAD group name to a role

    Assign the AAD group name to a role.
    1. Go to
      Manage > Authentication > Groups
    2. Click
      Add Group
    3. Enter the name of the AAD group
    4. Click the
      SAML group
       radio button
    5. Select the Prisma Cloud role for the group
    6. Click
      Save
      Test logging into Prisma Cloud Console via Azure Active Directory SAML federation. Leave your existing session logged into Prisma Cloud Console in case you encounter issues. Open a new incognito browser window and go to
      https://<CONSOLE>:8083
       and select SAML authentication method.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.