Set up Just-in-Time Provisioning on Google

Configure SSO with Just-in-time Provisioning on Google.
To successfully set up local administrators on the fly with Just-in-Time (JIT) provisioning, you need to configure the Prisma Cloud app for Google to provide the SAML responses that enable Prisma Cloud to add the authenticated SSO user on Prisma Cloud. Then, to ensure that the SSO user has the correct access privileges on Prisma Cloud, you need to assign a Prisma Cloud role to the user; if this role is not a default role on Prisma Cloud, you must define the role before you assign the role to the user on Google.
  1. Create the JIT attributes for Google.
    If you have not already created the SAML app for Prisma Cloud on Google, see setup-sso-integration-on-prisma-cloud-for-google.xml[Set up Google SSO on Prisma Cloud].
  2. Create a custom role in Google that will be used as a Prisma Cloud role. For the Prisma Cloud role to be available to each user, this role attribute should be available to each registered user in the Google workspace.
    1. Log in to Google as a Super Administrator and select
    2. Select
      Manage Custom Attributes
    3. Add Custom Attribute
    4. Enter the following details:
      • Category
        —Enter a name for the category, for example Prisma Specific.
      • Custom fields - Name
        —Enter the Role as the name, select Info type Text. and depending on your organization’s requirement, you can select single or multi-value. Prisma Cloud supports multiple roles for a single user.
    5. Add
      to complete adding the role as a custom attribute.
  3. Map the JIT attributes.
    1. Log in to Google as a Super Administrator and select
      Web and mobile apps
    2. Click on the application for which you want to enable JIT provisioning.
    3. Expand
      SAML attribute mapping
      and click
      Add Mapping
    4. Enter email, first name, last name, and role attributes and
    5. Copy the attribute names that you mapped in the above Step.
  4. Enable JIT.
    1. Log in to Prisma Cloud and select
    2. Under Just in Time (JIT) Provisioning,
      Enable JIT Provisioning
    3. Enter the value of the attributes. These are the attribute names from Step 3 above.
    4. Save
      to enable JIT for the user.
  5. Validate JIT.
    1. Log in to Google Mail as a user who belongs to Google Workspace and is not yet provisioned in Prisma Cloud. Make sure all the attributes, including Prisma specific role has been configured for this user.
    2. Click
      Prisma <name>
      (the SAML custom application that you had configured) to log directly in to the Prisma Cloud instance.
    3. Log in to Prisma Cloud as an Administrator and select
      to validate that the above user is provisioned.

Recommended For You