Set up Azure AD SSO on Prisma Cloud

To secure administrator access to Prisma Cloud, go to Microsoft AAD site to configure single sign-on and then configure Prisma Cloud for SSO.
On Prisma Cloud, you can enable single sign-on (SSO) using Microsoft Azure Active Directory (AAD). To enable SSO, you must first complete the setup on the Microsoft AAD. You can then log in with System Administrator privilege on Prisma Cloud to configure SSO and redirect login requests to the IdP login page so that your Prisma Cloud administrative users can log in using SSO.
After you enable SSO, you must access Prisma Cloud from the Microsoft AAD portal. Prisma Cloud supports IdP initiated SSO, and its SAML endpoint supports the POST method only.
  1. Set up Microsoft AAD for SSO by creating an external application for Prisma Cloud and configuring SSO for it.
    1. Before you begin to set up Microsoft AAD configuration, log in to your Prisma Cloud instance and copy the Audience URI (SP Entity ID) from Prisma Cloud. For example: https://app.prismacloud.io/settings/sso.
    2. Log in to Microsoft Azure portal as an Administrator.
      You should have suitable administrative privileges to create an external application.
    3. Select
      All Services
      and click
      Azure Active Directory
      .
    4. Select
      Enterprise Applications
      and click
      +New Application
      .
    5. Choose
      Non-gallery Application
      .
    6. Give a name for your application and click
      Add
      .
    7. Select
      Single Sign-on
      under
      Manage
      .
    8. For
      Single Sign-on Mode
      , select
      SAML-based Sign-on
      .
    9. Give
      Identity (Entity URL)
      as
      https://app.prismacloud.io
      and
      Reply URL
      as
      https://api.prismacloud.io/saml
      .
    10. Select the
      User Identifier
      as
      user.mail
      .
    11. Click and download the certificate
      Certificate (Base64)
      .
    12. Click
      Save
      .
  2. Assign the users from Azure Active Directory to your newly created application.
    1. Login to Microsoft Azure portal as an Administrator.
    2. From
      Manage
      , select
      User and groups
      .
    3. Click
      +Add User
      and select and add your users.
    4. Click
      Assign
      .
  3. Add administrative users to Prisma Cloud.
  4. Configure SSO on Prisma Cloud.
    1. Log in Prisma Cloud and select
      Settings
      SSO
      .
    2. Enable SSO
      .
    3. Audience URI (SP Entity ID)
      is a read-only field in the format: https://app.prismacloud.io?customer=<string> to uniquely identify your tenant. Use this value in Configure SAML section in your IdP settings.
    4. In
      Identity Provider Issuer
      , enter the URL of Azure AAD in the authentication flow.
      In the setup instructions, you have Identity Provider Issuer and Prisma Cloud Access SAML URL.
    5. Identity Provider Logout URL
      You will be re directed to this URL when Prisma Cloud times out .
    6. Enter your IdP
      Certificate
      in the standard X.509 format.
    7. Prisma Cloud Access SAML URL
      is URL specific to the Prisma Cloud application which is configured in your IdP settings.
      When you click this URL, after authentication with your IdP, you are redirected to Prisma Cloud. This link along with the Relay State Parameter is used for all the redirection links embedded in notifications like email, slack, SQS, and compliance reports.
    8. Relay State Param name
      is SAML specific Relay State parameter name. If you provide this parameter along with the Prisma Cloud Access SAML URL, all notification links in Splunk, Slack, SQS, email, and reports will have seamless access to the Prisma Cloud application. The relay state parameter or value is specific to your Identity Provider. For example, this value is
      RelayState
      for AAD.
      When using RelayState functionality, make sure your Prisma Cloud Access SAML URL corresponds to Identity Provider Single Sign-On URL ending in ‘/sso/saml’.
    9. Select
      Allow select users to authenticate directly with Prisma Cloud
      to configure some users to access Prisma Cloud directly using their email address and password registered with Prisma Cloud, in addition to logging in via the SSO provider.
      When you enable SSO, make sure to select a few users who can also access Prisma Cloud directly using the email and password that is registered locally on Prisma Cloud to ensure that you are not locked out of the console in the event you have misconfigured SSO and need to modify the IdP settings. For accessing data through APIs, you need to authenticate directly to Prisma Cloud.
    10. Select the
      Users
      who can access Prisma Cloud either using local authentication credentials on Prisma Cloud or using SSO.
    11. Verify access using SSO.
      Administrative users for whom you have enabled SSO, must access Prisma Cloud from the Identity Provider’s portal. For example, if you have integrated Prisma Cloud with Azure AAD, administrative users must log in to Azure AD and then click on the Prisma Cloud app icon to access Prisma Cloud.
    12. Using
      View last SSO login failures
      , you can see details of last five login issues or errors for SSO authentication for any users.
    • You can have only one SAML configuration for all your cloud accounts.
    • The selection of users who can log in using SSO and also through username and password is independent of the edits to the SSO configuration or enable/disable of SSO.
    • If a user is logged in already using the username/password flow, and the user tries to log in via SAML SSO, the token will get updated with the latest login in the browser's local storage and replace the existing auth-token.

Recommended For You