To secure administrator access to Prisma Cloud, go to
your identity provider's site to configure single sign-on and then
configure Prisma Cloud for SSO.
On Prisma Cloud, you can enable single sign-on
(SSO) using an Identity Provider (IdP) that supports Security Assertion
Markup Language (SAML), such as Okta, Microsoft Active Directory
Federation Services (AD FS), Azure Active Directory (AD), Google,
or OneLogin. You can configure only one IdP for all the cloud accounts
that Prisma Cloud monitors.
To access Prisma Cloud using SSO,
every administrative user requires a local account on Prisma Cloud.
You can either Add Administrative Users On Prisma Cloud to create
the local account in advance of enabling SSO, or use Just-In-Time
(JIT) Provisioning on the SSO configuration on Prisma Cloud if you
prefer to create the local account automatically. With JIT Provisioning,
the first time a user logs in and successfully authenticates with
your SSO IdP, the SAML assertions are used to create a local user
account on Prisma Cloud.
To enable SSO, you must first complete
the setup on the IdP. Then, log in to Prisma Cloud using an account
with System Admin privileges to configure SSO and redirect login
requests to the IdP’s login page, so that your Prisma Cloud administrative
users can log in using SSO. After you enable SSO, you must access
Prisma Cloud from the IdP’s portal. Prisma Cloud supports IdP initiated
SSO, and it’s SAML endpoint supports the POST method only.
a best practice, enable a couple administrative users with both
local authentication credentials on Prisma Cloud and SSO access
so that they can log in to the administrative console and modify
the SSO configuration when needed, without risk of account lockout.
Make sure that each administrator has activated their Palo Alto
Networks Customer Support Portal (CSP) account using the Welcome
to Palo Alto Networks Support email and set a password to access
Any administrator who needs to access the Prisma
Cloud API cannot use SSO and must authenticate directly to Prisma
Cloud using the email address and password registered with Prisma
If you want to enable JIT provisioning for users, Create Prisma Cloud Roles before you
continue to the next step. When you configure SSO on the IdP, you
must attach this role to the user‘s profile so that the user has
the appropriate permissions and can monitor the assigned cloud accounts
on Prisma Cloud.
Copy the Audience URI, for Prisma Cloud, which users
need to access from the IdP.
Log in to Prisma Cloud and select
Audience URI (SP Entity ID)
This is a read-only field in the format: https://app.prismacloud.io?customer=<string>
to uniquely identify your instance of Prisma Cloud. You require
this value when you configure SAML on your IdP.
Set up the Identity Provider (Okta, Microsoft AD FS,
Azure AD, Google, or OneLogin) for SSO as described in the next