Set up Just-in-Time Provisioning on Okta
Configure SSO with Just-in-time Provisioning on Okta.
To successfully set up local administrators
on the fly with Just-in-Time (JIT) provisioning, you need to configure
the Prisma Cloud app for Okta to provide the SAML claims or assertions
that enable Prisma Cloud to add the authenticated SSO user on Prisma
Cloud. Then, to ensure that the SSO user has the correct access
privileges on Prisma Cloud, you need to assign a Prisma Cloud role
to the user; if this role is not a default role on Prisma Cloud,
you must define the role before you assign the role to the user
on Okta. A use case for this is if you need to provision a user
just in time, but the user doesn’t exist in Prisma Cloud.
- Create the Prisma Cloud App for Okta.If you have not already created the SAML app for Prisma Cloud on Okta, see steps 2 and 3 in Set up SSO Integration on Prisma Cloud.
- For JIT provisioning of the user, create a custom attribute on the Prisma Cloud Okta app.If you need to add custom mandatory fields, follow these steps.
- Go to .
Replace<apps>with the Prisma Cloud application that you want to add the custom attribute to. For example,app.stage Useris a Prisma Cloud app. - After you found the Prisma Cloud app, selectProfile, andAdd Attribute.
- Select adata typeand enter adisplay name,variable name, and anattribute lengththat is long enough to accommodate the role names on Prisma Cloud.If you have multiple roles, select so that you will have an array, or group of strings to represent your role names in Prisma Cloud.
- Savethe new attribute.
- Verify that the role has been added.
After you saved the new attribute you should see it display in the Okta UI as a table with its associated data. In this example,PrismaCloudRoleis the display name of the new attribute.
- Configure theAttribute Statementson the Prisma Cloud Okta app.Specify the user attributes in the SAML assertion or claim that Prisma Cloud can use to create the local user account.
- Select .
- Select the Prisma Cloud<app>,Generaland clickEditunder theSAML Settingsheading to add the attribute statements.Replace<app>with the name of the Prisma Cloud app you want to configure the attribute statements for. You must provide theemail,role,first, andlastname for each user.
The attribute statement names should map to the values that you have in .
- Assign the Prisma Cloud role for each SSO user.Each SSO user who is granted access to Prisma Cloud, can have between one to five Prisma Cloud roles assigned. Each role determines the permissions and account groups that the user can access on Prisma Cloud.
- Select
- Select the Prisma Cloud app and Assignments.For existing users, click the pencil icon to add the Prisma Cloud Role you want to give this user. For example, System Admin.
For new users, select , clickAssignfor the user you want to give access to Prisma Cloud and define the Prisma Cloud Role you want to give this user.
- Continue with Set up Okta SSO on Prisma Cloud.
