Set up Okta SSO on Prisma Cloud

Set up Okta for SSO.
Before you begin to set up Okta configuration, login to your Prisma Cloud instance and copy the Audience URI (SP Entity ID) from Prisma Cloud. See For example: https://app.prismacloud.io/settings/sso.
Login to Okta as an Administrator and click
Admin
.

Click
Add Applications
.

+Add Apps
to create a new app.

On
Create a New Application Integration
, select
Web
for
Platform
and
SAML 2.0
for
Sign on method
.

Click
Create
.
On
General Settings
, use these values and click
Next
.
App Name
- Prisma Cloud SSO app
App Logo
- Use the Prisma Cloud logo
App Visibility
- Do not check these options

To
Configure SAML
, specify the
Sign On URL
.
The format for Sign On URL uses the URL for Prisma Cloud, but you must replace app with api and add saml at the end. For example, if you access Prisma Cloud at https://app2.prismacloud.io, your Sign On URL should be
https://api2.prismacloud.io/saml
and if it is https://app.eu.prismacloud.io, it should be
https://api.eu.prismacloud.io/saml
.
For
Audience URI
- Use the value displayed on Prisma Cloud
Settings
Access Control
SSO
that you copied in the first step.
Select
Name ID format
as
Persistent
and
Application username
as
Okta username
.
The value for the Name ID format must be set to persistent so that your IdP sends the same unique value for the NameID element in all SAML requests from a particular user. If you set it to anything else, the user will have a different saml:sub value for each session, and is not secure.

Set
Update application username
to
Create and update
.
For
Advanced Section
, select
Response
as
Unsigned
,
Assertion Signature
as
Signed
,
Assertion Encryption
as
UnEncrypted
.
These options ensure that the SAML authentication message are digitally signed by the IDP, and it restricts login to the SAML app only from browsers that have the signed certificate.
(Required only for JIT provisioning of a local user account automatically on Prisma Cloud)
Specify the attributes to send with the SAML assertion.
For more details, see Set up Just-in-Time Provisioning on Okta. If you want to assign groups, you should define a filter Matches regex with Value = (.*) to match against all groups.

Finish creating the app.
You have now successfully created an application for the SAML integration. This application will have the details of the
IdP URL
and
Certificate
which you’ll need to add on Prisma Cloud to complete the SSO integration.
Assign users or groups of users who can use the Prisma Cloud SSO app to log in to Prisma Cloud.
Select Assignments on the app and
Assign
Assign to People
, to add individual users.

You can also
Assign to Groups
, to specify the groups to which your users are assigned. Groups are evaluated top down, which means users will be assigned to the first group in the order.

(Required only for JIT provisioning of a local user account automatically on Prisma Cloud)
Assign the role you created on Prisma Cloud to the user profile.
Configure SSO on Prisma Cloud.
Log in to Prisma Cloud and select
Settings
Access Control
SSO
.
Enable SSO
.
Enter the value for your
Identity Provider Issuer
.
This is the URL of a trusted provider such as Google, Salesforce, Okta, or Ping who act as your IdP in the authentication flow. On Okta, for example, you can find the Identity Provider issuer URL at
Applications
Sign On
View Setup Instructions
.

In the setup instructions, you have Identity Provider Issuer and Prisma Cloud Access SAML URL.

Enter the
Identity Provider Logout URL
to which a user is redirected to, when Prisma Cloud times out or when the user logs out.
Enter your IdP
Certificate
in the standard X.509 format.
You must copy and paste this from your IdP.

Enter the
Prisma Cloud Access SAML URL
configured in your IdP settings.
For example, on Okta this is the Identity Provider Single Sign-On URL. When you click this URL, after authentication with your IdP, you are redirected to Prisma Cloud. This link along with the Relay State Parameter is used for all the redirection links embedded in notifications like email, slack, SQS, and compliance reports.
Relay State Param name
is SAML specific Relay State parameter name. If you provide this parameter along with Prisma Cloud Access SAML URL, all notification links in Splunk, Slack, SQS, email, and reports can link directly to the Prisma Cloud application. The relay state parameter or value is specific to your Identity Provider. For example, this value is
RelayState
for Okta.
When using RelayState functionality, make sure your Prisma Cloud Access SAML URL corresponds to Identity Provider Single Sign-On URL ending in ‘/sso/saml’.
(Optional)
Clear the
Enforce DNS Resolution for Prisma Cloud Access SAML URL
.
By default, Prisma Cloud performs a DNS look up to resolve the Prisma Cloud SAML Access URL you entered earlier. If your IdP is on your internal network, and you do not need to perform a DNS look up, you can clear this option to bypass the DNS lookup.
(Optional)
Enable Just-in-Time Provisioning for SSO users.
Enable JIT Provisioning
, if you want to create a local account for users who are authenticated by the IdP. With JIT, the user is provisioned with the first five roles mapped to the user’s profile on the IdP.
Provide the user attributes in the SAML assertion or claim that Prisma Cloud can use to create the local user account.
You must provide the email, role, first name, and last name for each user. Timezone is optional.

The role that you specify for the user’s profile on the IdP must match what you created on Prisma Cloud in Step 1.
Select
Allow select users to authenticate directly with Prisma Cloud
to configure some users to access Prisma Cloud directly using their email address and password registered with Prisma Cloud, in addition to logging in via the SSO provider.
When you enable SSO, make sure to select a few users who can also access Prisma Cloud directly using the email and password that is registered locally on Prisma Cloud to ensure that you are not locked out of the console in the event you have misconfigured SSO and need to modify the IdP settings. For accessing data through APIs, you need to authenticate directly to Prisma Cloud.
Select the
Users
who can access Prisma Cloud either using local authentication credentials on Prisma Cloud or using SSO.
The users listed in the allow list can log in using SSO and also using a local account username and password that you have created on Prisma Cloud.

Save
your changes.
Verify access using SSO.
Administrative users for whom you have enabled SSO, must access Prisma Cloud from the Identity Provider’s portal. For example, if you have integrated Prisma Cloud with Okta, administrative users must login to Okta and then click on the Prisma Cloud app icon to be logged in to Prisma Cloud.
Using
View last SSO login failures
, you can see details of last five login issues or errors for SSO authentication for any users.

If the user is logged in already using a username/password and then logs in using SSO, the authentication token in the browser’s local storage is replaced with the latest token.