Set up SSO Integration on Prisma Cloud

To secure administrator access to Prisma Cloud, go to your identity provider's site to configure single sign-on and then configure Prisma Cloud for SSO.
On Prisma Cloud, you can enable single sign-on (SSO) using an Identity Provider (IdP) that supports Security Assertion Markup Language (SAML), such as Okta, Microsoft Active Directory Federation Services (AD FS), Azure Active Directory (AD), Google, or OneLogin. You can configure only one IdP for all the cloud accounts that Prisma Cloud monitors.
To access Prisma Cloud using SSO, every administrative user requires a local account on Prisma Cloud. You can either Add Administrative Users On Prisma Cloud to create the local account in advance of enabling SSO, or use Just-In-Time (JIT) Provisioning on the SSO configuration on Prisma Cloud if you prefer to create the local account automatically. With JIT Provisioning, the first time a user logs in and successfully authenticates with your SSO IdP, the SAML assertions are used to create a local user account on Prisma Cloud.
To enable SSO, you must first complete the setup on the IdP. Then, log in to Prisma Cloud using an account with System Admin privileges to configure SSO and redirect login requests to the IdP’s login page, so that your Prisma Cloud administrative users can log in using SSO. After you enable SSO, you must access Prisma Cloud from the IdP’s portal. Prisma Cloud supports IdP initiated SSO, and it’s SAML endpoint supports the POST method only.
As a best practice, enable a couple administrative users with both local authentication credentials on Prisma Cloud and SSO access so that they can log in to the administrative console and modify the SSO configuration when needed, without risk of account lockout. Make sure that each administrator has activated their Palo Alto Networks Customer Support Portal (CSP) account using the Welcome to Palo Alto Networks Support email and set a password to access the portal.
Any administrator who needs to access the Prisma Cloud API cannot use SSO and must authenticate directly to Prisma Cloud using the email address and password registered with Prisma Cloud.
  1. Decide whether you want to first add Add Administrative Users On Prisma Cloud or you prefer to add users on the fly with JIT Provisioning when you configure SSO on Prisma Cloud.
    If you want to enable JIT provisioning for users, Create Prisma Cloud Roles before you continue to the next step. When you configure SSO on the IdP, you must attach this role to the user‘s profile so that the user has the appropriate permissions and can monitor the assigned cloud accounts on Prisma Cloud.
  2. Copy the Audience URI, for Prisma Cloud, which users need to access from the IdP.
    1. Log in to Prisma Cloud and select
      Settings
      SSO
      .
    2. Copy the
      Audience URI (SP Entity ID)
      value. This is a read-only field in the format: https://app.prismacloud.io?customer=<string> to uniquely identify your instance of Prisma Cloud. You require this value when you configure SAML on your IdP.
  3. Set up the Identity Provider (Okta, Microsoft AD FS, Azure AD, Google, or OneLogin) for SSO as described in the next section.

Recommended For You