Enabling SSO JIT with Microsoft Entra ID (formerly known as Azure Active Directory)  

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L1 Bithead
No ratings

By Irene Garcia, Senior Customer Success Engineer

 

and

 

Srikanth Makineni, Customer Success Engineer


Overview

 

This document provides guidance on how to configure Single Sign On (SSO) between Prisma Cloud Enterprise and Microsoft Entra ID (formally known as Azure Active Directory, or Azure AD) to use Just-in-Time (JIT) provisioning to automatically create users in Prisma Cloud based on their AD Groups assignment.


Steps

 

  1. Prisma Cloud Prerequisites (Enabling Direct User Authentication)
  2. Set up Microsoft Entra ID SSO on Prisma Cloud
  3. Set up Just-in-Time Provisioning on Microsoft Entra ID

1. Prisma Cloud Prerequisites (Enabling Direct User Authentication)


In Prisma Cloud, go to Settings > Access Control > SSO. 

In the section “Direct User Authentication” and select at least one user, who will be able to log in with local credentials in case there is an issue with SSO.


Please Note: If you do not complete this step and SSO does not work, you will need to raise a support case to get SSO disabled in order to log back into the tenant.


RPrasadi_0-1707538545811.jpeg

Figure 1: Direct User Authentication_palo-alto-networks


2. Set up Microsoft Entra ID SSO on Prisma Cloud


In Azure:


  1. Log in to Azure, search/browse to “Microsoft Entra ID”, and click “Enterprise  applications”.
  2. Click “+ New application”.
  3. Once the application is created, go to the “Single sign-on” page and select “SAML”.
  4. Scroll down to Step 4 and copy the “Microsoft Entra identifier”.

In Prisma Cloud:

 

     5. Go to “Settings > Access Control > SSO” and select “SAML” protocol and click on “Enabled”:


RPrasadi_1-1707538545760.png

Figure 2: Enable SAML protocol_palo-alto-networks

 

     6. Paste the previous copied URL into the “Identity Provider Issuer” field.

     7. Copy the “Audience URI (SP Entity ID)”.


In Azure:

                                                                                                                                                                                         

8. In Step 1 (“Basic SAML Configuration”), click “edit” and paste that value in the “Identifier (Entity ID)” field. 

9. The “Reply URL (Assertion Consumer Service URL)” field will depend on the location of your tenant, which is displayed  in the login URL. You will need to replace “app” with “api” and append “/saml” at the end. For example, for the following login URL:


https://app2.eu.prismacloud.io


The value for this field will be:


https://api2.eu.prismacloud.io/saml

 

10. In Step 3 (“SAML Signing Certificate”), click  “Add a certificate” and then “New Certificate”. Enter an expiration date

and notification email address and click “Save”. 

11. Go back to step 3 and download the “Certificate (Base64)”.


In Prisma Cloud:

 

     12. Paste the certificate value (including the “BEGIN” and “END” lines) in the “Certificate” section:


RPrasadi_2-1707538545744.png

Figure 3: Certificate field_palo-alto-networks

 

     13. Before clicking on “Save”, please validate the following prerequisites are in place:

 

  • In Prisma Cloud, you have at least one user under the “Direct User Authentication” section (just in case the SSO integration does not work)
  • The user used for the SSO test: 

 

    1. Exists in Prisma Cloud under “Settings > Access Control > Users”
    2. Has an assigned role in Prisma Cloud
    3. Is assigned to the Microsoft Entra enterprise application in the “Users and Groups” section (either directly or by being a member of an assigned group)

  1. Click “Save” and test the SSO integration.

 

3. Set up Just-in-Time Provisioning on Microsoft Entra ID


Once the SSO integration is working, we can proceed to enable JIT. The idea is to automate the process of creating accounts for users. In other words, the user will not be required to be in the  “Settings > Access Control > Users” list, instead, it will automatically be added to that list with a role automatically assigned.


The most important part of JIT settings are the values sent as a part of the SAML assertion. Prisma Cloud requires the following fields:


  • Email Address
  • Role
  • First Name
  • Last Name

By default, the Microsoft Entra enterprise application previously created will already have three fields: email address, first name, and last name. On the other hand, we will create a new attribute for the “role” field. In that case, the value sent from Azure has to map to an existing role in Prisma Cloud. If any of the required attributes don’t exist, the JIT SSO login will fail.


In Azure:


  1. Go to the SSO Enterprise Application that you configured in the previous section. Click on “Single sign-on” and on “Edit” in the section 2: “User Attributes & Claims”
  1. Click on “Add a group claim”:

RPrasadi_3-1707538545760.png

Figure 4: Add a group claim_palo-alto-networks

  

  1. Select “Groups assigned to the application”, “sAMAccountName” as “Source attribute”

         and customize the name of the group claim:

 

RPrasadi_4-1707538545946.png

Figure 5: Group claim configuration_palo-alto-networks


After that, the “Attributes & claims” view should look like this:


RPrasadi_5-1707538546166.png

Figure 6: Attributes & Claims configuration_palo-alto-networks


In Prisma Cloud:


  1. Go to “Settings > Access Control > SSO” and click on “Enabled” in the “Just in Time (JIT) Provisioning” section.
  2. Update the fields with the corresponding Microsoft Entra ID claim names. With the previous Microsoft Entra ID “Attributes & Claims” view, the Prisma Cloud configuration should look like this:

RPrasadi_6-1707538545977.png

Figure 7: Prisma Cloud JIT configuration_palo-alto-networks


  1. Click on “Save”.
  2. Go to  “Settings > Access Control > Roles” and create as many roles as desired. The role names should exactly match the Microsoft Entra ID group names assigned to the Microsoft Entra enterprise application.
  3. Before testing the JIT integration, please validate the following prerequisites are in place:
  • The user used for the SSO JIT test: 

 

    1. Does not exist in Prisma Cloud under “Settings > Access Control > Users” (just to confirm that it is automatically added to the list after a successful JIT test).
    2. Is a member of at least one of the Microsoft Entra ID groups assigned to the Microsoft Entra enterprise application.

 

  • The same groups you have in Microsoft Entra ID also exist with the exact same name in Prisma Cloud as roles. This configuration relies on assigning a role called exactly the same way as the attribute coming in the SAML response. For example, the roles could have these names in Prisma Cloud:

RPrasadi_7-1707538545996.png

Figure 8: Prisma Cloud Roles_palo-alto-networks


And in that case, the Groups assigned to the Microsoft Entra enterprise application must have the same names:

RPrasadi_8-1707538545783.jpeg

Figure 9: Microsoft Entra enterprise application Users and Groups_palo-alto-networks


With this configuration, whenever a user is a member of one or multiple Microsoft Entra ID groups whose name is a Prisma Cloud role, the user will have that role(s) assigned. 


Once the configuration is working, you will need to do the following in case you would like to have more roles assigned to users. Let's say you would like user "XX" to have the role "YY":

 

  1. In Azure, validate the user "XX" is a member of the group "YY"
  2. In Azure, in the Prisma Cloud Enterprise Application, assign the group "YY" in the section "Users and groups"
  3. In Prisma Cloud, create a role with the name "YY"

 

Conclusion

 

Enabling and controlling access to IT resources and applications is an important aspect of securing an organization. An identity provider such as Microsoft Entra ID is used by many organizations, and this article has given you the required information to connect Prisma Cloud with users and roles defined in Microsoft Entra ID by the following three steps:


  1. Enable Direct User Authentication in Prisma Cloud
  2. Setup Microsoft Entra SSO on Prisma Cloud
  3. Microsoft Entra SSO Group Claims Setup Just-in-time Provisioning on Microsoft Entra ID

This then allows users to be automatically created in Prisma Cloud when the user gets access to Prisma Cloud using Microsoft Entra SSO. The user’s role and permissions will be based on the Microsoft Entra Groups assignment.  No manual creation of users will be required for your organization’s users to log into Prisma Cloud.  As long as the Microsoft Entra ID provides the user with the permissions to access Prisma Cloud, the user will be able to log in with the appropriate credentials with access levels as configured in Microsoft Entra ID.


Reference 

 

Set up Azure AD SSO on Prisma Cloud


Microsoft Entra Group Claims

 

About the Authors

 
Irene Garcia is Senior Customer Success Engineer and Srikanth Makineni is a Customer Success Engineer.  Both specialize in Cloud Security Posture Management, Azure, AWS, GCP, containers, and Kubernetes. Together, they use collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage their multi-industry knowledge to inspire success
Rate this article:
  • 5979 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels
Article Dashboard
Version history
Last Updated:
‎02-13-2024 01:08 PM
Updated by: