article PANCast™ Episode 52: How to Set up SP-Initiated SSO in Prisma Cloud (SaaS) with OIDC using Okta (IdP) in PANCast™ Episodes

article PANCast™ Episode 52: How to Set up SP-Initiated SSO in Prisma Cloud (SaaS) with OIDC using Okta (IdP) in PANCast™ Episodes https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-52-how-to-set-up-sp-initiated-sso-in-prisma/ta-p/1220336 <DIV class="lia-message-template-content-zone"> <P><div class="video-embed-center video-embed"><iframe class="embedly-embed" src="https://cdn.embedly.com/widgets/media.html?src=https%3A%2F%2Fwww.youtube.com%2Fembed%2F__m4FfnLpvs%3Ffeature%3Doembed&display_name=YouTube&url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D__m4FfnLpvs&image=https%3A%2F%2Fi.ytimg.com%2Fvi%2F__m4FfnLpvs%2Fhqdefault.jpg&type=text%2Fhtml&schema=youtube" width="600" height="337" scrolling="no" title="PANCast™ Ep 52: How to Set up SP-Initiated SSO in Prisma Cloud (SaaS) with OIDC using Okta (IdP)" frameborder="0" allow="autoplay; fullscreen; encrypted-media; picture-in-picture;" allowfullscreen="true"></iframe></div></P> <P> </P> <P><STRONG><I><EM>Episode Transcript:</EM></I></STRONG></P> <P> </P> <P><STRONG><I>John A.:</I></STRONG><STRONG> </STRONG></P> <P><SPAN>Hello PANCasters, welcome back! Today we’re diving into another exciting topic about Prisma Cloud. We’ll be discussing how to set up SP-Initiated SSO in Prisma Cloud using OIDC with Okta as the Identity Provider. Joining us is our expert, Roshan. Welcome back, Roshan! Can you introduce yourself to our listeners?</SPAN></P> <P> </P> <P><STRONG><I>Roshan T.:</I></STRONG></P> <P><SPAN>Thank you, John! Hello, everyone. I’m Roshan, a Staff Technical Support Engineer for Prisma Cloud. I have several years of experience in<span class="lia-inline-image-display-wrapper lia-image-align-right" image-alt="Roshan Tulsani is a Staff Technical Support Engineer for Prisma Cloud and Compute, and has a vast experience in the Support Environment. He is passionate about sharing his knowledge and expertise with customers." style="width: 239px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66125i085DA6D49374D68F/image-dimensions/239x371?v=v2" width="239" height="371" role="button" title="Roshan-T_palo-alto-networks.png.jpg" alt="Roshan Tulsani is a Staff Technical Support Engineer for Prisma Cloud and Compute, and has a vast experience in the Support Environment. He is passionate about sharing his knowledge and expertise with customers." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Roshan Tulsani is a Staff Technical Support Engineer for Prisma Cloud and Compute, and has a vast experience in the Support Environment. He is passionate about sharing his knowledge and expertise with customers.</span></span> cybersecurity and cloud security solutions, and I’m thrilled to share insights on this topic with you today.</SPAN></P> <P> </P> <P><STRONG><I>John A.:</I></STRONG><STRONG> </STRONG></P> <P><SPAN>Thanks, Roshan. Let’s start with the basics. What exactly is SP-Initiated SSO with OIDC?</SPAN></P> <P> </P> <P><STRONG><I>Roshan T.:</I></STRONG></P> <P><SPAN>Great question, John. SP-Initiated SSO, or Service Provider-Initiated Single Sign-On, is like having a master key that grants access to various applications. Here, Prisma Cloud acts as the Service Provider (SP), and Okta serves as the Identity Provider (IdP).</SPAN></P> <P> </P> <P><SPAN>OIDC, or OpenID Connect, is the protocol used for authentication. It operates in the application layer of the OSI model and issues ID tokens and access tokens. These tokens carry user identity information and other attributes, enabling seamless and secure authentication.</SPAN></P> <P> </P> <P><STRONG><I>John A.:</I></STRONG><STRONG> </STRONG></P> <P><SPAN>That’s a helpful overview. Can you give us a fun analogy to understand this better?</SPAN></P> <P> </P> <P><STRONG><I>Roshan T.:</I></STRONG></P> <P><SPAN>Absolutely! Imagine John Wick, the legendary assassin, trying to access a high-security network of assassin hotels. Normally, he’d need a unique key and password for each hotel. But with SSO, he uses a master coin from the High Table—the Identity Provider.</SPAN></P> <P><SPAN>Each hotel (Service Provider) trusts the High Table’s authentication. So, instead of verifying John Wick directly, they rely on the High Table to confirm the validity of his coin, granting him seamless access. In our scenario, Prisma Cloud is the hotel, and Okta is the High Table.</SPAN></P> <P><STRONG> </STRONG></P> <P><STRONG><I>John A.:</I></STRONG><STRONG> </STRONG></P> <P><SPAN>Great analogy! Now, can you walk us through the OIDC authentication flow?</SPAN></P> <P> </P> <P><STRONG><I>Roshan T.:</I></STRONG></P> <P><SPAN>Certainly! Here’s how it works:</SPAN></P> <OL> <LI><STRONG>Verification Request:</STRONG><SPAN> When a user attempts to access Prisma Cloud (SP), it sends a request to Okta (IdP) containing details like:</SPAN><SPAN><BR /></SPAN></LI> <UL> <LI style="font-weight: 400;" aria-level="2"><STRONG>Client ID:</STRONG><SPAN> The unique identifier for Prisma Cloud.</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><STRONG>Redirect URI:</STRONG><SPAN> The URL where Okta should send its response.</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><STRONG>Scope:</STRONG><SPAN> The type of access requested, such as profile or email.</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><STRONG>State:</STRONG><SPAN> A token to prevent attacks.</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><STRONG>Response Type:</STRONG><SPAN> Typically a verification code.</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><STRONG>Nonce:</STRONG><SPAN> A unique string to link the session with the ID token, preventing replay attacks</SPAN></LI> </UL> <LI><STRONG>Authentication Process:</STRONG><SPAN> Here, the user is redirected to Okta, which validates their credentials and issues an ID token</SPAN></LI> <LI><STRONG style="font-family: inherit;">Access Granted:</STRONG><SPAN> Prisma Cloud receives the token, verifies it, and grants the user access.</SPAN></LI> </OL> <P> </P> <P><STRONG><I>John A.:</I></STRONG><STRONG> </STRONG></P> <P><SPAN>Thanks for breaking that down! So how do we configure Okta and Prisma Cloud at a high level?</SPAN></P> <P> </P> <P><STRONG><I>Roshan T.:</I></STRONG></P> <P><SPAN>Setting up Okta and Prisma Cloud for SP-Initiated SSO involves two main steps:</SPAN></P> <OL> <LI><STRONG style="font-family: inherit;">Configuring Okta:</STRONG></LI> </OL> <UL> <LI><SPAN>Create a new application in Okta for Prisma Cloud using OIDC</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Add Prisma Cloud’s Callback URL in the application’s Sign-in Redirect URIs and enable Federation Broker Mode that allows users access to the application without explicit preassignment</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Retrieve essential metadata, such as the Client ID, Client Secret, and endpoints, from Okta's well-known URL</SPAN></LI> </UL> <P>     2. <STRONG style="font-family: inherit;">Setting Up Prisma Cloud:</STRONG></P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Enable OIDC under SSO settings in Prisma Cloud and input the Client ID, Client Secret, and endpoints retrieved from Okta</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Enable Just-in-Time (JIT) provisioning to auto-create user accounts when they log in.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Create a user with attributes matching those in Okta or let JIT provisioning handle it automatically</SPAN></LI> </UL> <P><STRONG><I>John A.:</I></STRONG><STRONG> </STRONG></P> <P><SPAN>That sounds straightforward. However, as we know, real-world setups don’t always go smoothly. Are there any common mistakes or missteps people should watch out for when implementing this setup?</SPAN></P> <P> </P> <P><STRONG><I>Roshan T.:</I></STRONG></P> <P><SPAN>Absolutely, John. While the setup is relatively straightforward, there are some common misconfigurations to be mindful of. Thankfully, Prisma Cloud and Okta provide error messages that help pinpoint issues. For example, if the client secret copied from Okta to Prisma Cloud is incorrect, you might see an error like: </SPAN><I><SPAN>"The client secret supplied for a confidential client is invalid."</SPAN></I></P> <P><SPAN>Here are some of the common issues and how to address them:</SPAN></P> <OL> <LI style="font-weight: 400;" aria-level="1"><STRONG>Incorrect Client ID or Client Secret:</STRONG><STRONG><BR /></STRONG><SPAN>Double-check that the Client ID and Client Secret are correctly copied from Okta and input into Prisma Cloud.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>Missing or Incorrect Callback URL:</STRONG><STRONG><BR /></STRONG><SPAN>Ensure Prisma Cloud’s Callback URL is added under the Sign-in Redirect URIs in Okta.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>User Not Assigned to the Application in Okta: </STRONG><SPAN>Assign users to the application in Okta or enable Federation Broker Mode</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>User Not Present in Prisma Cloud: </STRONG><SPAN>Use Just-in-Time Provisioning or manually add users in Prisma Cloud</SPAN></LI> </OL> <P><SPAN>By keeping these points in mind, troubleshooting becomes much simpler, and you can resolve most issues quickly.</SPAN></P> <P> </P> <P><STRONG><I>John A.:</I></STRONG><STRONG> </STRONG></P> <P><SPAN>That’s incredibly useful, Roshan. Are there any additional resources or best practices you’d recommend?</SPAN></P> <P><STRONG><BR /></STRONG><STRONG><I>Roshan T.:</I></STRONG></P> <P><SPAN>Yes, always refer to the </SPAN><A href="https://docs.prismacloud.io/en/compute-edition/30/admin-guide/authentication/oidc" target="_self"><SPAN>Prisma Cloud</SPAN></A><SPAN> and Okta documentation for the most up-to-date information. Testing the integration in a staging environment before rolling it out to production is also a best practice</SPAN></P> <P> </P> <P><STRONG><I>John A.:</I></STRONG><STRONG> </STRONG></P> <P><SPAN>Roshan, before we wrap up, can you share the key takeaways from today's discussion for our listeners?</SPAN></P> <P> </P> <P><STRONG><I>Roshan T.:</I></STRONG></P> <P><SPAN>Here are the key takeaways:</SPAN></P> <OL> <LI><SPAN>Use Prisma Cloud with Okta via OIDC for secure authentication</SPAN></LI> <LI><SPAN>Double-check credentials, callback URLs, and user assignments</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Test the integration in staging environment while referring to documentation</SPAN></LI> </OL> <P><STRONG><I>John A.:</I></STRONG><STRONG> </STRONG></P> <P><SPAN>Fantastic insights, Roshan. Thank you for sharing this knowledge with our listeners today.</SPAN></P> <P> </P> <P><STRONG><I>Roshan T.:</I></STRONG></P> <P><SPAN>Thank you, John. It’s always a pleasure to be here. I look forward to joining another episode of PANCast soon.</SPAN></P> <P> </P> <P><STRONG><I>John A.:</I></STRONG><STRONG> </STRONG></P> <P><SPAN>PANCasters, if you have topics you’d like us to cover, please share your feedback through the Ideas Submission page on LIVEcommunity. Until next time, goodbye!</SPAN></P> <P> </P> <P><STRONG>Related Content:</STRONG></P> <UL> <LI><A title="How to Transfer Device or Spare Ownership" href="https://docs.prismacloud.io/en/enterprise-edition/content-collections/administration/setup-sso-integration-on-prisma-cloud/get-started-with-oidc-sso/get-started-with-oidc-sso" target="_blank" rel="nofollow noopener noreferrer">Get Started with OIDC SSO</A></LI> </UL> <P><LI-PRODUCT title="Prisma Cloud" id="Prisma_Cloud"></LI-PRODUCT> </P> </DIV> Wed, 19 Feb 2025 23:28:46 GMT RoshanT 2025-02-19T23:28:46Z PANCast™ Episode 52: How to Set up SP-Initiated SSO in Prisma Cloud (SaaS) with OIDC using Okta (IdP) https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-52-how-to-set-up-sp-initiated-sso-in-prisma/ta-p/1220336 <P>This episode talks about how to set up SP-Initiated SSO in Prisma Cloud using OIDC with Okta as the Identity Provider.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PANCast Ep 52_palo-alto-networks.jpg" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/66127iA1EECD0B4A8E91B5/image-size/large?v=v2&px=999" role="button" title="PANCast Ep 52_palo-alto-networks.jpg" alt="PANCast Ep 52_palo-alto-networks.jpg" /></span></P> Wed, 19 Feb 2025 23:28:46 GMT https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-52-how-to-set-up-sp-initiated-sso-in-prisma/ta-p/1220336 RoshanT 2025-02-19T23:28:46Z