1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Manage Prisma Cloud Administrators
    6. Set up SSO Integration on Prisma Cloud
    7. Set up ADFS SSO on Prisma Cloud

    Set up ADFS SSO on Prisma Cloud

    To secure administrator access to Prisma Cloud, go to ADFS to configure single sign-on (SSO) and then configure Prisma Cloud for SSO.
    Active Directory Federation Services (AD FS) is a service provided by Microsoft as a standard role for Windows Server that provides a web login using the existing Active Directory (AD) credentials.
    1. Decide whether you want to first Add Administrative Users On Prisma Cloud or you prefer to add users on the fly with JIT Provisioning when you Configure AD FS SSO on Prisma Cloud.
      If you want to enable JIT provisioning for users, Create Prisma Cloud Roles before you continue to the next step. When you configure SSO on AD FS, you must attach this role to the user‘s profile so that the user has the appropriate permissions and can monitor the assigned cloud accounts on Prisma Cloud.
    2. Copy the Audience URI, for Prisma Cloud, which users need to access from AD FS.
      1. Log in to Prisma Cloud and select
        Settings
        SSO
        .
      2. Copy the
        Audience URI (SP Entity ID)
         value. This is a read-only field in the format: https://app.prismacloud.io?customer=<string> to uniquely identify your instance of Prisma Cloud. You require this value when you configure SAML on AD FS.
    3. Set up AD FS for SSO.
      1. Before you begin to set up the AD FS configuration, login to your Prisma Cloud account and copy the
        Audience URI (SP Entity ID)
         from Prisma Cloud as described in STEP 2.
      2. Login to AD FS as an Administrator and Create a SAML SSO Prisma Cloud application.
      3. Under the
        Identifiers
         tab, enter the relying party URL, for example: https://app.prismacloud.io/
        Depending on the location of your tenant, which is displayed in the login URL, replace ‘app’ with ‘app2’ or ‘app.eu’, for example: https://app.eu.prismacloud.io/
        Remember to enter the forward slash at the end of the URL.
      4. Under the
        Endpoints
         tab, enter the Assertion Consumer Service (ACS) URL, for example: https://api.prismacloud.io/saml
        Depending on the location of your tenant, which is displayed in the login URL, replace ‘api’ with ‘api2’ or ‘api.eu’, for example: https://api.eu.prismacloud.io/saml
        You can also add the logout endpoint.
      5. Use a transform rule to pass the email address as the NameID attribute and click
        OK
        .
    4. Configure AD FS on Prisma Cloud.
      1. Log in to Prisma Cloud and select
        Settings
        SSO
        .
      2. Enable SSO
        .
      3. Enter the value for your AD FS Issuer.
        The Issuer URL is part of the assertion, for example: https://adfs.domain.com/adfs/services/trust
      4. Enter the
        Identity Provider Logout URL
        .
        A user is redirected to this URL when Prisma Cloud times out or when the user logs out.
      5. Enter your AD FS
        Certificate
         in the PEM format.
        The certificate is used to verify that the assertion is signed correctly.
      6. Enter the
        Prisma Cloud Access SAML URL
         configured in your AD FS settings, for example: https://adfs.domain.com/adfs/ls/idpinitiatedsignon.aspx?logintorp=https://app.prismacloud.io

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo