Set up Azure AD SSO on Prisma Cloud

To secure administrator access to Prisma Cloud, go to Microsoft AAD site to configure single sign-on and then configure Prisma Cloud for SSO.
On Prisma Cloud, you can enable single sign-on (SSO) using Microsoft Azure Active Directory (AAD). To enable SSO, you must first complete the setup on the Microsoft AAD. You can then log in with System Administrator privilege on Prisma Cloud to configure SSO and redirect login requests to the IdP login page so that your Prisma Cloud administrative users can log in using SSO.
After you enable SSO, you must access Prisma Cloud from the Microsoft AAD portal. Prisma Cloud supports IdP initiated SSO, and its SAML endpoint supports the POST method only.
  1. Set up Microsoft AAD for SSO by creating an external application for Prisma Cloud and configuring SSO for it.
    1. Before you begin to set up Microsoft AAD configuration, log in to your Prisma Cloud instance and copy the Audience URI (SP Entity ID) from Prisma Cloud. For example:
    2. Log in to Microsoft Azure portal as an Administrator.
      You should have suitable administrative privileges to create an external application.
    3. Select
      All Services
      and click
      Azure Active Directory
    4. Select
      Enterprise Applications
      and click
      +New Application
    5. Choose
      Non-gallery Application
    6. Give a name for your application and click
    7. Select
      Single Sign-on
    8. For
      Single Sign-on Mode
      , select
      SAML-based Sign-on
    9. Enter
      Identity (Entity URL)
      , for example:
      Depending on the location of your tenant, which is displayed in the login URL, replace ‘app’ with ‘app2’ or ‘’, for example:
      Remember to enter the forward slash at the end of the URL.
    10. Enter
      Reply URL
      (Assertion Consumer Service URL), for example:
      Depending on the location of your tenant, which is displayed in the login URL, replace ‘api’ with ‘api2’ or ‘’, for example:
    11. Select
      User Identifier
    12. Download
      Certificate (Base64)
    13. Save
  2. Assign the users from Azure Active Directory to your newly created application.
    1. Log in to Microsoft Azure portal as an Administrator.
    2. From
      , select
      User and groups
    3. +Add User
      and select and add your users.
    4. Assign
  3. Add administrative users to Prisma Cloud.
  4. Configure SSO on Prisma Cloud.
    1. Log in to Prisma Cloud and select
      Access Control
    2. Enable SSO
    3. Audience URI (SP Entity ID)
      is a read-only field in the format:<string> to uniquely identify your tenant. Use this value in Configure SAML section in your IdP settings.
    4. In
      Identity Provider Issuer
      , enter the URL of Azure AAD in the authentication flow.
      In the setup instructions, you have Identity Provider Issuer and Prisma Cloud Access SAML URL.
    5. Enter
      Identity Provider Logout URL
      . You will be redirected to this URL when Prisma Cloud times out .
    6. Enter your IdP
      in the standard X.509 format.
    7. Prisma Cloud Access SAML URL
      is the URL specific to the Prisma Cloud application, which is configured in your IdP settings.
      When you click this URL, after authentication with your IdP, you are redirected to Prisma Cloud. This link along with the Relay State Parameter is used for all the redirection links embedded in notifications such as email, Slack, SQS, and compliance reports.
    8. Relay State Param name
      is a SAML specific Relay State parameter name. If you provide this parameter along with the Prisma Cloud Access SAML URL, all notification links in Splunk, Slack, SQS, email, and reports will have seamless access to the Prisma Cloud application. The relay state parameter or value is specific to your Identity Provider. For example, this value is
      for AAD.
      When using RelayState functionality, make sure your Prisma Cloud Access SAML URL corresponds to Identity Provider Single Sign-On URL ending in ‘/sso/saml’.
    9. Select
      Allow select users to authenticate directly with Prisma Cloud
      to configure some users to access Prisma Cloud directly using their email address and password registered with Prisma Cloud, in addition to logging in via the SSO provider.
      When you enable SSO, make sure to select a few users who can also access Prisma Cloud directly using the email and password that is registered locally on Prisma Cloud to ensure that you are not locked out of the console in the event you have misconfigured SSO and need to modify the IdP settings. For accessing data through APIs, you need to authenticate directly to Prisma Cloud.
    10. Select the
      who can access Prisma Cloud either using local authentication credentials on Prisma Cloud or using SSO.
    11. Verify access using SSO.
      Administrative users for whom you have enabled SSO, must access Prisma Cloud from the Identity Provider’s portal. For example, if you have integrated Prisma Cloud with Azure AAD, administrative users must log in to Azure AD and then click on the Prisma Cloud app icon to access Prisma Cloud.
    12. Using
      View last SSO login failures
      , you can see details of last five login issues or errors for SSO authentication for any users.
      • You can have only one SAML configuration for all your cloud accounts.
      • The selection of users who can log in using SSO and also through username and password is independent of the edits to the SSO configuration or enable/disable of SSO.
      • If a user is logged in already using the username/password flow, and the user tries to log in via SAML SSO, the token will get updated with the latest login in the browser’s local storage and replace the existing auth-token.

Recommended For You