1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Manage Prisma Cloud Administrators
    6. Set up SSO Integration on Prisma Cloud
    7. Set up Just-in-Time Provisioning on Google

    Set up Just-in-Time Provisioning on Google

    Configure SSO with Just-in-time Provisioning on Google.
    To successfully set up local administrators on the fly with Just-in-Time (JIT) provisioning, you need to configure the Prisma Cloud app for Google to provide the SAML responses that enable Prisma Cloud to add the authenticated SSO user on Prisma Cloud. Then, to ensure that the SSO user has the correct access privileges on Prisma Cloud, you need to assign a Prisma Cloud role to the user; if this role is not a default role on Prisma Cloud, you must define the role before you assign the role to the user on Google.
    1. Create the JIT attributes for Google.
      If you have not already created the SAML app for Prisma Cloud on Google, see setup-sso-integration-on-prisma-cloud-for-google.xml[Set up Google SSO on Prisma Cloud].
    2. Create a custom role in Google that will be used as a Prisma Cloud role. For the Prisma Cloud role to be available to each user, this role attribute should be available to each registered user in the Google workspace.
      1. Log in to Google as a Super Administrator and select
        Directory
        Users
        .
      2. Select
        More
        Manage Custom Attributes
        .
      3. Add Custom Attribute
        .
      4. Enter the following details:
        • Category
          —Enter a name for the category, for example Prisma Specific.
        • Custom fields - Name
          —Enter the Role as the name, select Info type Text. and depending on your organization’s requirement, you can select single or multi-value. Prisma Cloud supports multiple roles for a single user.
      5. Add
         to complete adding the role as a custom attribute.
    3. Map the JIT attributes.
      1. Log in to Google as a Super Administrator and select
        Apps
        Web and mobile apps
        .
      2. Click on the application for which you want to enable JIT provisioning.
      3. Expand
        SAML attribute mapping
         and click
        Add Mapping
        .
      4. Enter email, first name, last name, and role attributes and
        Save
        .
      5. Copy the attribute names that you mapped in the above Step.
    4. Enable JIT.
      1. Log in to Prisma Cloud and select
        Settings
        SSO
        .
      2. Under Just in Time (JIT) Provisioning,
        Enable JIT Provisioning
        .
      3. Enter the value of the attributes. These are the attribute names from Step 3 above.
      4. Save
         to enable JIT for the user.
    5. Validate JIT.
      1. Log in to Google Mail as a user who belongs to Google Workspace and is not yet provisioned in Prisma Cloud. Make sure all the attributes, including Prisma specific role has been configured for this user.
      2. Click
        Prisma <name>
         (the SAML custom application that you had configured) to log directly in to the Prisma Cloud instance.
      3. Log in to Prisma Cloud as an Administrator and select
        Settings
        Users
         to validate that the above user is provisioned.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo