Figure 1: Direct User Authentication_palo-alto-networks
2. Integrate Prisma Cloud and Azure AD
Log in to Azure and search/browse to “Azure Active Directory”, and select “Enterprise Applications”.
From here, there are two ways to create SSO:
Most common is to use the pre-existing Prisma Cloud Enterprise application (this will only be created if this tenant has a subscription already monitored by Prisma Cloud) or another option is to create a new Enterprise Application for SSO only.
After the Application is created or selected, go to the “Single Sign-on” page and select SAML. This is your main SSO settings screen for Azure AD.
- Select Single Sign-on. Click Edit on Basic SAML Configuration
- Scroll down to Step 4 in Azure SSO Portal to configure the app to link with Azure AD. Copy the “Azure AD Identifier”
Login URL : https://login.microsoftonline.com/12345
Azure AD Identifier: https://sts.windows.net/12345
Logout URL: https://login.microsoftonline.com/12345
Step 4 in Azure SSO Portal
C. Switch over to your Prisma Cloud SSO settings, and paste that value in the “Identity Provider Issuer” field
D. From Prisma Cloud, copy the “Audience URI (SP Entity ID)”, and switch back to the Azure portal tab, pasting it under the Basic SAML Configuration
Figure 2: SSO Settings_palo-alto-networks
E. For basic SAML Configuration in the SSO settings, click “Edit” and paste the “Audience URI (SP Entity ID)” copied from Prisma Cloud into the “Identifier (Entity ID).
Note: Prisma Cloud only supports IdP initiated SSO, not SP initiated. So the “Sign on URL” field should remain empty.
2. The “Reply URL” will be the corresponding API endpoint to the stack your Prisma Cloud tenant is on. The stack can be found at the very beginning of the “Identifier” URL.
Reply URL : https://api.prismacloud.io/saml
SAML Endpoints: Depending on the location of your tenant, which is displayed in the login URL, copy and past the Prisma URL into Reply URL (Assertion Consumer Service URL) field by replacing ‘app’ with ‘api’, and appending /saml at the end. For example: https://api2.prismacloud.io/saml for https://app2.prismacloud.io/
3. SAML Certificate Generation
To generate the SAML certificate in Azure Single Sign-On. Go to Step 3 in Azure SSO Portal (step 3 is called SAML Certificates), and click “Add a certificate”. Select “New Certificate”.
- Enter an expiration date, and notification email address, and click “Save”. (SAML certificates need to be set with an expiration date. The more critical the application, the shorter the expiration date should be.)
2. Go back to SAML Certificates in Azure SSO Portal, and download the “Certificate (Base64)”Back in the Prisma Cloud UI, paste the certificate value (including the ---BEGIN and END----)
[-----BEGIN CERTIFICATE-----
MIIDsDCCApigAwIBAgIGAYJABV7oMA0GCSqGSIb3DQEBCwUAMIGYMQswCQYDVQQGEwJVUzETMBEGbqE5+tSxMzstAr/DczuOMo4mejInKdTbkIL29/
…….
z1JkBW3JpF9GP7Zgxzw29Y5Fq+rWY8PBhy+ilEkFiX4JsCxbEAksZHARlO/4HFqqxBDc0UrIyIDOFN7Hbbh3fS
-----END CERTIFICATE-----]
Figure 3: Certificate Value_palo-alto-networks
4. SAML Attribute Mappings using JIT
The most important part of JIT settings are the values passed as a part of the SAML assertion.
To verify the values (or modify them) for Azure AD, go to the SSO “Enterprise Application” that you configured in the previous section. From there, “Single sign-on”, and section 2, “User Attributes & Claims”
JIT Settings within Prisma Cloud:
Figure 4: SAML-based Sign-on_palo-alto-networks
By default, the application should have almost all of the values we need for Prisma Cloud. First Name, Last Name, and Email are all default Attributes Azure AD includes with the assertion, and mapped here. These names should match attribute claims.
As long as the Azure AD environment is setup correctly, you should be able to use the following settings with Prisma Cloud for those three values.
For the Role field within Prisma Cloud, whatever value that is passed within that “Role” field in Azure AD SSO, has to map to an existing “Role” within Prisma Cloud. If any of the required auto-provision attributes, or the Role doesn’t exist, the JIT SSO login will fail.
Figure 5: Azure AD SSO_palo-alto-networks
Assignment options
Azure provides two options for mapping roles from Azure AD to Prisma Cloud default role:
1. Based on AD Group
2. Based on Cloud only Display Names
- Using AD Groups, will enable users to be automatically signed-in to Prisma Cloud SSO with their Azure AD accounts. If a user doesn't already exist in Prisma Cloud SSO, a new user is created when you attempt to access Prisma Cloud SSO.
- Using Cloud only display names, Groups assigned to the application can be identified by their Display Name attribute for cloud-only groups.
1. Group Assignment based on AD Group.
When using Azure AD, there is the ability to assign users to groups that have access to different SSO applications. Additionally, depending on the group, there are different Roles available within Prisma Cloud.
In this example, I have 2 Azure AD groups called “PCSSSOJITTest” and “JIT2”. With the first being a “System Admin” role, and the second being a “read-only”.
A user is a part of one group assignment. The user will be logged into Prisma Cloud with the corresponding JIT provisioned account and Role
- In the normal “Users Attributes & Claims” of the Azure Single sign-on screen, click “Edit”, and then “Add new claim”. The “Name” of this will be the corresponding “Role” field passed to the Prisma Cloud SAML assertion. In this case, “SSO JIT”.
The SSO JIT settings on Prisma Cloud should be the same as before, but with the claim name created:
Figure 6: Just in Time (JIT) Provisioning under Prisma Cloud_palo-alto-networks
2. Click on the “Claim conditions” drop-down, and select “Members” for the user type. Now click on “Select groups” under the Scoped Groups column, and select which group(s) should be the assigned role for the condition line. (There can be multiple conditions for different Roles, like SysAdmin, ReadOnly, etc). Ensure to hit “Select” at the bottom.
3. For any number of group assignments, click the “Attribute” radial, and type in the EXACT ROLE NAME as it appears in Prisma Cloud. In this example, one group will be for System Admins, and one for Read-Only users. (see Figure 6)
Note: You will be typing in a “Constant value” here, and you have to press “Enter” to save the value:
Figure 7: User Type, Scoped Groups, Source, Value_palo-alto-networks
The “Value” field corresponds to Prisma Cloud Roles.
Figure 8: Prisma Cloud Roles_palo-alto-networks
The SSO JIT settings on Prisma Cloud should be the same as before, but with the claim name created:
Figure 8: Just in Time (JIT) Provisioning_palo-alto-networks
2. Cloud Only Display Names
In approach 1, we needed to create one attribute per role, defining in the corresponding claim the relationship between the Azure Group and the Prisma Cloud role:
- Members of Azure Group “PCSSSOJITTest” would have “System Admin” role
- Members of Azure Group “JIT2” would have “read-only” role
While this approach works, it may not be scalable for some customers, who would need to create a significant amount of attributes in Azure AD.
A different approach is using cloud-only display names. Using this method, the user will be logged into Prisma Cloud within the corresponding role assigned.
- Create the claim by selecting "Add a group claim"
Figure 9: Add a group claim_palo-alto-networks
- Select "Groups Assigned to the application"
- Select "Cloud Only Group Display Names" as "Source attribute"
Figure 10: Group Claims_palo-alto-networks
- In “Advanced options”, select “Customize the name of the group claim” and Enter the claim name. Ex. group. The SSO JIT settings on Prisma Cloud should be the same as before, but with the claim name, you just created.
Figure 11: Attributes & Claims_palo-alto-networks
Azure and Prisma Cloud Group Name Mapping
You need to make sure the same groups you have in Azure AD exist as well with the exact same name in Prisma Cloud as roles. This configuration relies on assigning a role called exactly the same way as the attribute coming in the SAML response. Following the above name convention as an example, the roles could be like these ones:
Figure 12: Access Control_palo-alto-networks
Azure Enterprise App Groups
Figure 13: Users and groups_palo-alto-networks
- With this configuration, whenever a user is a member of one or multiple Azure AD groups whose name is a Prisma Cloud role, the user will have that role(s) assigned.
Ex. When a user from Groups PrismaCloud_role_system_admin logs into PrismaCloud, by default he would see the System Admin role assigned under Active Role.
Figure 14: Urgent Risks and Incidents_palo-alto-networks
SAML Validation
Figure 15: SAML Validation_palo-alto-networks
Conclusion
Once you have successfully integrated using JIT and Azure AD, SSO will enable your users to be automatically signed-in to Prisma Cloud SSO with their Azure AD accounts or Groups assigned to the application using Cloud Only DisplayNames.
The two or more SSO bypass users will be the users responsible for updating the SAML certificate when the certificate is expiring.
Reference
Set up Azure AD SSO on Prisma Cloud
About the Author
Srikanth Makineni is a Customer Success consultant specializing in Cloud Security Posture Management, Azure, AWS, GCP, containers and Kubernetes. Srikanth uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage his multi-industry knowledge to inspire success.
