Set up SSO Integration on Prisma Cloud

To secure administrator access to Prisma Cloud, go to your identity provider's site to configure single sign-on and then configure Prisma Cloud for SSO.
On Prisma Cloud, you can enable single sign-on (SSO) using an Identity Provider (IdP) that supports Security Assertion Markup Language (SAML), such as Okta, Azure Active Directory, or PingID. You can configure only one IdP for all the cloud accounts that Prisma Cloud monitors.
To access Prisma Cloud using SSO, every administrative user requires a local account on Prisma Cloud. You can either Add Administrative Users On Prisma Cloud to create the local account in advance of enabling SSO, or use Just-In-Time (JIT) Provisioning on the SSO configuration on Prisma Cloud if you prefer to create the local account automatically. With JIT Provisioning, the first time a user logs in and successfully authenticates with your SSO IdP, the SAML assertions are used to create a local user account on Prisma Cloud.
To enable SSO, you must first complete the setup on the IdP. Then, log in to Prisma Cloud using an account with System Admin privileges to configure SSO and redirect login requests to the IdP’s login page, so that your Prisma Cloud administrative users can log in using SSO.
After you enable SSO, you must access Prisma Cloud from the IdP’s portal. Prisma Cloud supports IdP initiated SSO, and it’s SAML endpoint supports the POST method only.
As a best practice, enable a couple administrative users with both local authentication credentials on Prisma Cloud and SSO access so that they can log in to the admin console and modify the SSO configuration when needed, without risk of account lockout. Also, any administrator who needs to access the Prisma Cloud API cannot use SSO and must authenticate directly to Prisma Cloud using the email address and password registered with Prisma Cloud.
  1. Decide whether you want to first add Add Administrative Users On Prisma Cloud or you prefer to add users on the fly with JIT Provisioning when you Configure SSO on Prisma Cloud.
    If you want to enable JIT provisioning for users, Create Prisma Cloud Roles before you continue to the next step. When you configure SSO on the IdP, you must attach this role to the user‘s profile so that the user has the appropriate permissions and can monitor the assigned cloud accounts on Prisma Cloud.
  2. Copy the Audience URI, for Prisma Cloud, which users need to access from the IdP.
    1. Log in to Prisma Cloud and select
      Settings
      SSO
      .
    2. Copy the
      Audience URI (SP Entity ID)
      value. This is a read-only field in the format: https://app.prismacloud.io?customer=<string> to uniquely identify your instance of Prisma Cloud. You require this value when you configure SAML on your IdP.
  3. Set up the Identity Provider for SSO.
    1. This workflow uses Okta as the IdP. Before you begin to set up Okta configuration, login to your Prisma Cloud instance and copy the Audience URI (SP Entity ID) from Prisma Cloud. See For example: https://app.prismacloud.io/settings/sso.
    2. Login to Okta as an Administrator and click
      Admin
      .
      sso-okta-admin.png
    3. Click
      Add Applications
      .
      sso-okta-add-application.png
    4. Search for
      Prisma Cloud
      and
      Add
      .
      sso-okta-create-new-app.png
    5. On
      Create a New Application Integration
      , select
      Web
      for
      Platform
      and
      SAML 2.0
      for
      Sign on method
      .
      sso-okta-saml-web.png
    6. Click
      Create
      .
    7. On
      General Settings
      , use these values and click
      Next
      .
      App Name
      - Prisma Cloud SSO app
      App Logo
      - Use the Prisma Cloud logo
      App Visibility
      - Do not check these options
      sso-okta-general-settings.png
    8. To
      Configure SAML
      , specify the
      Sign On URL
      .
      The format for Sign On URL uses the URL for Prisma Cloud, but you must replace app with api and add saml at the end. For example, if you access Prisma Cloud at https://app2.prismacloud.io, your Sign On URL should be
      https://api2.prismacloud.io/saml
      and if it is https://app.eu.prismacloud.io, it should be
      https://api.eu.prismacloud.io/saml
      .
    9. For
      Audience URI
      - Use the value displayed on Prisma Cloud
      Settings
      SSO
      that you copied in the first step.
      sso-okta-audience-uri.png
    10. Select
      Name ID format
      as
      EmailAddress
      and
      Application username
      as
      Email
      .
      sso-okta-create-saml-integration.png
    11. For
      Advanced Section
      , select
      Response
      as
      Unsigned
      ,
      Assertion Signature
      as
      Signed
      ,
      Assertion Encryption
      as
      UnEncrypted
      .
      sso-okta-advanced-section.png
    12. Assign users who can use the Prisma Cloud SSO app to log in to Prisma Cloud.
      sso-okta-assign-users.png
    13. (Required only for JIT provisioning of a local user account automatically on Prisma Cloud)
      Specify the attributes to send with the SAML assertion.
    14. (Required only for JIT provisioning of a local user account automatically on Prisma Cloud)
      Assign the role you created on Prisma Cloud to the user profile.
      You have now successfully created an application for the SAML integration. This application will have the details of the
      IdP URL
      and
      Certificate
      which you’ll need to add on Prisma Cloud to complete the SSO integration.
  4. Configure SSO on Prisma Cloud.
    1. Log in to Prisma Cloud and select
      Settings
      SSO
      .
    2. Enable SSO
      .
    3. Enter the value for your
      Identity Provider Issuer
      .
      This is the URL of a trusted provider such as Google, Salesforce, Okta, or Ping who act as your IdP in the authentication flow. On Okta, for example, you can find the Identity Provider issuer URL at
      Applications
      Sign On
      View Setup Instructions
      .
      sso-get-idp-for-prisma-cloud.png
      In the setup instructions, you have Identity Provider Issuer and Prisma Cloud Access SAML URL.
      sso-get-two-values-for-prisma-cloud.png
    4. Enter the
      Identity Provider Logout URL
      to which a user is redirected to, when Prisma Cloud times out or when the user logs out.
    5. Enter your IdP
      Certificate
      in the standard X.509 format.
      You must copy and paste this from your IdP.
      sso-okta-certificate.png
    6. Enter the
      Prisma Cloud Access SAML URL
      configured in your IdP settings.
      For example, on Okta this is the Identity Provider Single Sign-On URL. When you click this URL, after authentication with your IdP, you are redirected to Prisma Cloud. This link along with the Relay State Parameter is used for all the redirection links embedded in notifications like email, slack, SQS, and compliance reports.
    7. Relay State Param name
      is SAML specific Relay State parameter name. If you provide this parameter along with Prisma Cloud Access SAML URL, all notification links in Splunk, Slack, SQS, email, and reports can link directly to the Prisma Cloud application. The relay state parameter or value is specific to your Identity Provider. For example, this value is
      RelayState
      for Okta.
      When using RelayState functionality, make sure your Prisma Cloud Access SAML URL corresponds to Identity Provider Single Sign-On URL ending in ‘/sso/saml’.
    8. (Optional)
      Clear the
      Enforce DNS Resolution for Prisma Cloud Access SAML URL
      .
      By default, Prisma Cloud performs a DNS look up to resolve the Prisma Cloud SAML Access URL you entered earlier. If your IdP is on your internal network, and you do not need to perform a DNS look up, you can clear this option to bypass the DNS lookup.
    9. (Optional)
      Enable Just-in-Time Provisioning for SSO users.
      Enable JIT Provisioning
      , if you want to create a local account for users who are authenticated by the IdP.
    10. Provide the user attributes in the SAML assertion or claim that Prisma Cloud can use to create the local user account.
      You must provide the email, role, first name, and last name for each user. Timezone is optional.
      sso-okta-prisma-cloud-attribute-statements.png
      The role that you specify for the user’s profile on the IdP must match what you created on Prisma Cloud in Step 1.
    11. Select
      Allow select users to authenticate directly with Prisma Cloud
      to configure some users to access Prisma Cloud directly using their email address and password registered with Prisma Cloud, in addition to logging in via the SSO provider.
      When you enable SSO, make sure to select a few users who can also access Prisma Cloud directly using the email and password that is registered locally on Prisma Cloud to ensure that you are not locked out of the console in the event you have misconfigured SSO and need to modify the IdP settings. For accessing data through APIs, you need to authenticate directly to Prisma Cloud.
    12. Select the
      Users
      who can access Prisma Cloud either using local authentication credentials on Prisma Cloud or using SSO.
      The whitelisted users can log in using SSO and also using a local account username and password that you have created on Prisma Cloud.
      sso-users-excluded.png
    13. Save
      your changes.
    14. Verify access using SSO.
      Administrative users for whom you have enabled SSO, must access Prisma Cloud from the Identity Provider’s portal. For example, if you have integrated Prisma Cloud with Okta, administrative users must login to Okta and then click on the Prisma Cloud app icon to be logged in to Prisma Cloud.
    15. Using
      View last SSO login failures
      , you can see details of last five login issues or errors for SSO authentication for any users.
      sso-last-five-errors.png
    If the user is logged in already using a username/password and then logs in using SSO, the authentication token in the browser's local storage is replaced with the latest token.

Related Documentation