Set up ADFS SSO on Prisma Cloud

To secure administrator access to Prisma Cloud, go to ADFS to configure single sign-on (SSO) and then configure Prisma Cloud for SSO.
Active Directory Federation Services (AD FS) is a service provided by Microsoft as a standard role for Windows Server that provides a web login using the existing Active Directory (AD) credentials.
  1. Decide whether you want to first Add Administrative Users On Prisma Cloud or you prefer to add users on the fly with JIT Provisioning when you Configure AD FS SSO on Prisma Cloud.
    If you want to enable JIT provisioning for users, Create Prisma Cloud Roles before you continue to the next step. When you configure SSO on AD FS, you must attach this role to the user‘s profile so that the user has the appropriate permissions and can monitor the assigned cloud accounts on Prisma Cloud.
  2. Copy the Audience URI, for Prisma Cloud, which users need to access from AD FS.
    1. Log in to Prisma Cloud and select
      Settings
      SSO
      .
    2. Copy the
      Audience URI (SP Entity ID)
      value. This is a read-only field in the format: https://app.prismacloud.io?customer=<string> to uniquely identify your instance of Prisma Cloud. You require this value when you configure SAML on AD FS.
  3. Set up AD FS for SSO.
    1. Before you begin to set up the AD FS configuration, login to your Prisma Cloud account and copy the
      Audience URI (SP Entity ID)
      from Prisma Cloud as described in STEP 2.
    2. Login to AD FS as an Administrator and Create a SAML SSO Prisma Cloud application.
    3. Under the
      Identifiers
      tab, enter the relying party URL, for example: https://app.prismacloud.io/
      Depending on the location of your tenant, which is displayed in the login URL, replace ‘app’ with ‘app2’ or ‘app.eu’, for example: https://app.eu.prismacloud.io/
      Remember to enter the forward slash at the end of the URL.
    4. Under the
      Endpoints
      tab, enter the Assertion Consumer Service (ACS) URL, for example: https://api.prismacloud.io/saml
      Depending on the location of your tenant, which is displayed in the login URL, replace ‘api’ with ‘api2’ or ‘api.eu’, for example: https://api.eu.prismacloud.io/saml
      You can also add the logout endpoint.
    5. Use a transform rule to pass the email address as the NameID attribute and click
      OK
      .
  4. Configure AD FS on Prisma Cloud.
    1. Log in to Prisma Cloud and select
      Settings
      SSO
      .
    2. Enable SSO
      .
    3. Enter the value for your AD FS Issuer.
      The Issuer URL is part of the assertion, for example: https://adfs.domain.com/adfs/services/trust
    4. Enter the
      Identity Provider Logout URL
      .
      A user is redirected to this URL when Prisma Cloud times out or when the user logs out.
    5. Enter your AD FS
      Certificate
      in the PEM format.
      The certificate is used to verify that the assertion is signed correctly.
    6. Enter the
      Prisma Cloud Access SAML URL
      configured in your AD FS settings, for example: https://adfs.domain.com/adfs/ls/idpinitiatedsignon.aspx?logintorp=https://app.prismacloud.io

Recommended For You