Set up Google SSO on Prisma Cloud

To secure administrator access to Prisma Cloud, set up Google as the Identity Provider (IdP) and then configure Prisma Cloud as the Service Provider (SP) for SSO.
On Prisma Cloud, you can enable single sign-on (SSO) using Google. To enable SSO, you must first complete the setup on Google. You can then log in with System Administrator privilege on Prisma Cloud to configure SSO and redirect login requests to the Google login page so that your Prisma Cloud administrative users can log in using SSO.
  1. Set up Google for SSO.
    1. Before you begin to set up Google configuration, log in to your Prisma Cloud instance, select
      Settings
      SSO
      and copy the Audience URI (SP Entity ID). For example: https://app.prismacloud.io/settings/sso.
    2. Log in to Google Workspace as a Super Administrator.
    3. From the left navigation menu, select
      Apps
      Web and mobile Apps
      .
    4. Select
      Add App
      Add custom SAML App
      .
    5. Enter a
      Name
      for your application, for example Prisma App1, upload an icon (optional), and
      Continue
      .
    6. SSO connection details are displayed. You can either
      Download
      the IdP metadata (Option 1) or
      Copy
      the following information (Option 2), and
      Continue
      :
      • SSO URL
      • Entity ID
      • Certificate
    7. Enter the following Prisma Cloud (service provider) details and
      Continue
      :
      • ACS URL
        —Enter your Prisma Cloud URL, however, replace app with api and add saml at the end. For example, if you access Prisma Cloud at https://app.prismacloud.io, enter https://api.prismacloud.io/saml.
      • Entity ID
        —Enter the Audience URI (SP Entity ID) value you copied in Step 1 above.
    8. (Optional)
      Enable Just in Time (JIT) Provisioning for SSO users.
      Enable JIT Provisioning
      , if you want to create a local account for users who are authenticated by Google. With JIT, the user is provisioned with the first five roles mapped to the user’s profile on Google.
    9. Finish
      to complete setting up Google as an IdP. Do not close the Google Workspace page in order to validate SSO after you complete setting up Prism Cloud.
  2. Configure SSO on Prisma Cloud.
    1. Log in to Prisma Cloud and select
      Settings
      SSO
      .
    2. Enable SSO
      .
    3. Paste the values you copied in Step 6 above.
      • Identity Provider Issuer
        —Enter the
        Entity ID
        value.
      • Certificate
        —Enter the
        Certificate
        value in the standard X.509 format.
      • (Optional)
        Identity Provider Logout URL
        —Enter the
        SSO URL
        value to which a user is redirected to, when Prisma Cloud times out or when the user logs out.
    4. Select
      Allow select users to authenticate directly with Prisma Cloud
      to configure some users to access Prisma Cloud directly using their email address and password registered with Prisma Cloud, in addition to logging in using Google IdP.
      When you enable SSO, make sure to select a few users who can also access Prisma Cloud directly using the email and password that is registered locally on Prisma Cloud to ensure that you are not locked out of the console in the event you have misconfigured SSO and need to modify the IdP settings. For accessing data through APIs, you need to authenticate directly to Prisma Cloud.
    5. Select the
      Users
      who can access Prisma Cloud either using local authentication credentials on Prisma Cloud or using SSO.
      The users listed in the allow list can log in using SSO and also using a local account username and password that you have created on Prisma Cloud.
    6. Save
      to complete setting up Prisma Cloud to trust Google as an IdP.
    7. On the Google Workspace page, click
      Test SAML Login
      to verify access using SSO. When prompted for user details, make sure to enter the email of a user who has already been provisioned on Prisma Cloud.

Recommended For You