Set up Just-in-Time Provisioning on Okta

Configure SSO with Just-in-time Provisioning on Okta.
To successfully set up local administrators on the fly with Just-in-Time (JIT) provisioning, you need to configure the Prisma Cloud app for Okta to provide the SAML claims or assertions that enable Prisma Cloud to add the authenticated SSO user on Prisma Cloud. Then, to ensure that the SSO user has the correct access privileges on Prisma Cloud, you need to assign a Prisma Cloud role to the user; if this role is not a default role on Prisma Cloud, you must define the role before you assign the role to the user on Okta. A use case for this is if you need to provision a user just in time, but the user doesn’t exist in Prisma Cloud.
  1. Create the Prisma Cloud App for Okta.
    If you have not already created the SAML app for Prisma Cloud on Okta, see steps 2 and 3 in Set up SSO Integration on Prisma Cloud.
  2. For JIT provisioning of the user, create a custom attribute on the Prisma Cloud Okta app.
    If you need to add custom mandatory fields, follow these steps.
    1. Go to
      Directory
      Profile Editor
      <apps>
      .
      Replace
      <apps>
      with the Prisma Cloud application that you want to add the custom attribute to. For example,
      app.stage User
      is a Prisma Cloud app.
    2. After you found the Prisma Cloud app, select
      Profile
      , and
      Add Attribute
      .
    3. Select a
      data type
      and enter a
      display name
      ,
      variable name
      , and an
      attribute length
      that is long enough to accommodate the role names on Prisma Cloud.
      If you have multiple roles, select
      data type
      string array
      so that you will have an array, or group of strings to represent your role names in Prisma Cloud.
    4. Save
      the new attribute.
    5. Verify that the role has been added.
    After you saved the new attribute you should see it display in the Okta UI as a table with its associated data. In this example,
    PrismaCloudRole
    is the display name of the new attribute.
  3. Configure the
    Attribute Statements
    on the Prisma Cloud Okta app.
    Specify the user attributes in the SAML assertion or claim that Prisma Cloud can use to create the local user account.
    1. Select
      Applications
      Applications
      .
    2. Select the Prisma Cloud
      <app>
      ,
      General
      and click
      Edit
      under the
      SAML Settings
      heading to add the attribute statements.
      Replace
      <app>
      with the name of the Prisma Cloud app you want to configure the attribute statements for. You must provide the
      email
      ,
      role
      ,
      first
      , and
      last
      name for each user.
      The attribute statement names should map to the values that you have in
      Settings
      Access Control
      SSO
      Just in Time (JIT) Provisioning
      .
  4. Assign the Prisma Cloud role for each SSO user.
    Each SSO user who is granted access to Prisma Cloud, can have between one to five Prisma Cloud roles assigned. Each role determines the permissions and account groups that the user can access on Prisma Cloud.
    1. Select
      Applications
      Applications
    2. Select the Prisma Cloud app and Assignments.
      For existing users, click the pencil icon to add the Prisma Cloud Role you want to give this user. For example, System Admin.
      For new users, select
      Assign
      Assign to People
      , click
      Assign
      for the user you want to give access to Prisma Cloud and define the Prisma Cloud Role you want to give this user.

Recommended For You