- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
The content you are looking for has been archived. View related content below.
This document provides guidance on how to configure Single Sign On (SSO) between Prisma Cloud Enterprise and Microsoft Entra ID (formally known as Azure Active Directory, or Azure AD) to use Just-in-Time (JIT) provisioning to automatically create users in Prisma Cloud based on their AD Groups assignment.
In Prisma Cloud, go to Settings > Access Control > SSO.
In the section “Direct User Authentication” and select at least one user, who will be able to log in with local credentials in case there is an issue with SSO.
Please Note: If you do not complete this step and SSO does not work, you will need to raise a support case to get SSO disabled in order to log back into the tenant.
Figure 1: Direct User Authentication_palo-alto-networks
In Azure:
In Prisma Cloud:
5. Go to “Settings > Access Control > SSO” and select “SAML” protocol and click on “Enabled”:
Figure 2: Enable SAML protocol_palo-alto-networks
6. Paste the previous copied URL into the “Identity Provider Issuer” field.
7. Copy the “Audience URI (SP Entity ID)”.
In Azure:
8. In Step 1 (“Basic SAML Configuration”), click “edit” and paste that value in the “Identifier (Entity ID)” field.
9. The “Reply URL (Assertion Consumer Service URL)” field will depend on the location of your tenant, which is displayed in the login URL. You will need to replace “app” with “api” and append “/saml” at the end. For example, for the following login URL:
https://app2.eu.prismacloud.io
The value for this field will be:
https://api2.eu.prismacloud.io/saml
10. In Step 3 (“SAML Signing Certificate”), click “Add a certificate” and then “New Certificate”. Enter an expiration date
and notification email address and click “Save”.
11. Go back to step 3 and download the “Certificate (Base64)”.
In Prisma Cloud:
12. Paste the certificate value (including the “BEGIN” and “END” lines) in the “Certificate” section:
Figure 3: Certificate field_palo-alto-networks
13. Before clicking on “Save”, please validate the following prerequisites are in place:
Once the SSO integration is working, we can proceed to enable JIT. The idea is to automate the process of creating accounts for users. In other words, the user will not be required to be in the “Settings > Access Control > Users” list, instead, it will automatically be added to that list with a role automatically assigned.
The most important part of JIT settings are the values sent as a part of the SAML assertion. Prisma Cloud requires the following fields:
By default, the Microsoft Entra enterprise application previously created will already have three fields: email address, first name, and last name. On the other hand, we will create a new attribute for the “role” field. In that case, the value sent from Azure has to map to an existing role in Prisma Cloud. If any of the required attributes don’t exist, the JIT SSO login will fail.
In Azure:
Figure 4: Add a group claim_palo-alto-networks
and customize the name of the group claim:
Figure 5: Group claim configuration_palo-alto-networks
After that, the “Attributes & claims” view should look like this:
Figure 6: Attributes & Claims configuration_palo-alto-networks
In Prisma Cloud:
Figure 7: Prisma Cloud JIT configuration_palo-alto-networks
Figure 8: Prisma Cloud Roles_palo-alto-networks
And in that case, the Groups assigned to the Microsoft Entra enterprise application must have the same names:
Figure 9: Microsoft Entra enterprise application Users and Groups_palo-alto-networks
With this configuration, whenever a user is a member of one or multiple Microsoft Entra ID groups whose name is a Prisma Cloud role, the user will have that role(s) assigned.
Once the configuration is working, you will need to do the following in case you would like to have more roles assigned to users. Let's say you would like user "XX" to have the role "YY":
Enabling and controlling access to IT resources and applications is an important aspect of securing an organization. An identity provider such as Microsoft Entra ID is used by many organizations, and this article has given you the required information to connect Prisma Cloud with users and roles defined in Microsoft Entra ID by the following three steps:
This then allows users to be automatically created in Prisma Cloud when the user gets access to Prisma Cloud using Microsoft Entra SSO. The user’s role and permissions will be based on the Microsoft Entra Groups assignment. No manual creation of users will be required for your organization’s users to log into Prisma Cloud. As long as the Microsoft Entra ID provides the user with the permissions to access Prisma Cloud, the user will be able to log in with the appropriate credentials with access levels as configured in Microsoft Entra ID.
Set up Azure AD SSO on Prisma Cloud