Enabling SSO With Azure AD

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L0 Member
No ratings

By Srikanth Makineni, Customer Success Engineer




This document provides guidance on how to configure Single Sign On (SSO) between Prisma Cloud Enterprise and Azure Active Directory (Azure AD) Groups Assigned to Application.


SSO allows the users of an organization to have one set of credentials to log into all of their applications.  JIT (Just-in-Time provisioning) automatically creates users within Prisma Cloud based upon values passed as a part of the SAML assertion. 


JIT allows users to be added to Prisma Cloud the first time they log in via SSO.


Azure AD can provide a user's group membership information in tokens for use within applications. 


  1. Groups identified by their Azure AD object identifier (OID) attribute
  2. Groups identified by the sAMAccountName or GroupSID attribute for Active Directory-synchronized groups and users
  3. Groups identified by their Display Name attribute for “cloud-only groups”

Steps to Setup Azure AD SSO on Prisma Cloud


  1. Prisma Cloud Prerequisites (Enabling Direct User Authentication using Prisma Cloud)
  2. Integrate Prisma Cloud and Azure AD
  3. SAML Certificate Generation
  4. SAML Attribute Mapping using JIT 
  5. Configure and test Azure AD SSO for Prisma Cloud SSO


1.  Prisma Cloud Prerequisites (Enabling Direct User Authentication using Prisma Cloud)


Within Prisma Cloud, go to “Settings > SSO” and scroll down. Toggle the “Allow select users to authenticate directly with Prisma Cloud” setting, and select at least two users who will be able to log in without SSO, if there is an issue with SSO.


Please Note: If you do not complete this step, and SSO does not work now or at a later point, you will need to raise a support ticket to get SSO disabled in order to log back into the tenant for all of your users.  


Figure 1: Direct User Authentication_palo-alto-networks 


2.  Integrate Prisma Cloud and Azure AD


Log in to Azure and search/browse to “Azure Active Directory”, and select “Enterprise Applications”. 

From here, there are two ways to create SSO: 


Most common is to use the pre-existing Prisma Cloud Enterprise application (this will only be created if this tenant has a subscription already monitored by Prisma Cloud) or another option is to create a new Enterprise Application for SSO only.


After the Application is created or selected, go to the “Single Sign-on” page and select SAML. This is your main SSO settings screen for Azure AD. 


  1. Select Single Sign-on. Click Edit on Basic SAML Configuration
  2. Scroll down to Step 4 in Azure SSO Portal to configure the app to link with Azure AD. Copy the “Azure AD Identifier”


             Login URL : https://login.microsoftonline.com/12345

             Azure AD Identifier: https://sts.windows.net/12345

            Logout URL: https://login.microsoftonline.com/12345

            Step 4 in Azure SSO Portal


    C.  Switch over to your Prisma Cloud SSO settings, and paste that value in the “Identity Provider Issuer” field


    D.  From Prisma Cloud,  copy the “Audience URI (SP Entity ID)”, and switch back to the Azure portal tab, pasting it under              the Basic SAML Configuration 



Figure 2: SSO Settings_palo-alto-networks 


   E.  For basic SAML Configuration in the SSO settings, click “Edit” and paste the “Audience URI (SP Entity ID)” copied from Prisma Cloud into the “Identifier (Entity ID). 

Note: Prisma Cloud only supports IdP initiated SSO, not SP initiated. So the “Sign on URL”  field should remain empty.


2.  The “Reply URL” will be the corresponding API endpoint to the stack your Prisma Cloud tenant is on. The stack can be found at the very beginning of the “Identifier” URL.


Reply URL : https://api.prismacloud.io/saml


SAML Endpoints: Depending on the location of your tenant, which is displayed in the login URL, copy and past the Prisma URL into Reply URL (Assertion Consumer Service URL) field by replacing ‘app’ with ‘api’, and appending /saml at the end. For example: https://api2.prismacloud.io/saml for https://app2.prismacloud.io/


3.  SAML Certificate Generation


To generate the SAML certificate in Azure Single Sign-On. Go to Step 3 in Azure SSO Portal (step 3 is called SAML Certificates), and click  “Add a certificate”. Select “New Certificate”.


  1.  Enter an expiration date, and notification email address, and click “Save”. (SAML certificates need to be set with an       expiration date. The more critical the application, the shorter the expiration date should be.)

      2. Go back to SAML Certificates in Azure SSO Portal, and download the “Certificate (Base64)”Back in the Prisma Cloud              UI, paste the certificate value (including the ---BEGIN and END----)


  -----END CERTIFICATE-----]

Figure 3: Certificate Value_palo-alto-networks  


4.  SAML Attribute Mappings using JIT


The most important part of JIT settings are the values passed as a part of the SAML assertion.


To verify the values (or modify them) for Azure AD, go to the SSO “Enterprise Application” that you configured in the previous section. From there, “Single sign-on”, and section 2, “User Attributes & Claims”


JIT Settings within Prisma Cloud:


Figure 4: SAML-based Sign-on_palo-alto-networks 


By default, the application should have almost all of the values we need for Prisma Cloud. First Name, Last Name, and Email are all default Attributes Azure AD includes with the assertion, and mapped here. These names should match attribute claims. 


As long as the Azure AD environment is setup correctly, you should be able to use the following settings with Prisma Cloud for those three values.


For the Role field within Prisma Cloud, whatever value that is passed within that “Role” field in Azure AD SSO, has to map to an existing “Role” within Prisma Cloud. If any of the required auto-provision attributes, or the Role doesn’t exist, the JIT SSO login will fail.



Figure 5: Azure AD SSO_palo-alto-networks


Assignment options


Azure provides two options for mapping roles from Azure AD to Prisma Cloud default role:


                   1.  Based on AD Group

                   2.  Based on Cloud only Display Names


  1. Using AD Groups, will enable users to be automatically signed-in to Prisma Cloud SSO with their Azure AD accounts. If a user doesn't already exist in Prisma Cloud SSO, a new user is created when you attempt to access Prisma Cloud SSO.


  1. Using Cloud only display names, Groups assigned to the application can be identified by their Display Name attribute for cloud-only groups. 


1.  Group Assignment based on AD Group. 


When using Azure AD, there is the ability to assign users to groups that have access to different SSO applications. Additionally, depending on the group, there are different Roles available within Prisma Cloud. 


In this example, I have 2 Azure AD groups called “PCSSSOJITTest” and “JIT2”. With the first being a “System Admin” role, and the second being a “read-only”.


A user is a part of one group assignment. The user will be logged into Prisma Cloud with the corresponding JIT provisioned account and Role


  1. In the normal “Users Attributes & Claims” of the Azure Single sign-on screen, click “Edit”, and then “Add new claim”. The “Name” of this will be the corresponding “Role” field passed to the Prisma Cloud SAML assertion. In this case, “SSO JIT”. 


The SSO JIT settings on Prisma Cloud should be the same as before, but with the claim name created:


Figure 6: Just in Time (JIT) Provisioning under Prisma Cloud_palo-alto-networks 


     2.  Click on the “Claim conditions” drop-down, and select “Members” for the user type. Now click on “Select groups” under            the Scoped Groups column, and select which group(s) should be the assigned role for the condition line. (There can be            multiple conditions for different Roles, like SysAdmin, ReadOnly, etc). Ensure to hit “Select” at the bottom.

     3.  For any number of group assignments, click the “Attribute” radial, and type in the EXACT ROLE NAME as it appears in            Prisma Cloud. In this example, one group will be for System Admins, and one for Read-Only users. (see Figure 6)

Note: You will be typing in a “Constant value” here, and you have to press “Enter” to save the value:


Figure 7: User Type, Scoped Groups, Source, Value_palo-alto-networks 


The “Value” field corresponds to Prisma Cloud Roles.


Figure 8: Prisma Cloud Roles_palo-alto-networks  


The SSO JIT settings on Prisma Cloud should be the same as before, but with the claim name created:


Figure 8: Just in Time (JIT) Provisioning_palo-alto-networks  


2.  Cloud Only Display Names


In approach 1, we needed to create one attribute per role, defining in the corresponding claim the relationship between the Azure Group and the Prisma Cloud role:

  • Members of Azure Group “PCSSSOJITTest” would have “System Admin” role
  • Members of Azure Group “JIT2” would have “read-only” role


While this approach works, it may not be scalable for some customers, who would need to create a significant amount of attributes in Azure AD.  


A different approach is using cloud-only display names. Using this method, the user will be logged into Prisma Cloud within the corresponding role assigned.


  1. Create the claim by selecting "Add a group claim"




Figure 9: Add a group claim_palo-alto-networks   


  1. Select "Groups Assigned to the application"


  1. Select "Cloud Only Group Display Names" as "Source attribute"



Figure 10: Group Claims_palo-alto-networks  


  1. In “Advanced options”, select “Customize the name of the group claim” and Enter the  claim name. Ex. group. The SSO JIT settings on Prisma Cloud should be the same as before, but with the claim name, you just created.



Figure 11: Attributes & Claims_palo-alto-networks  


Azure and Prisma Cloud Group Name Mapping

You need to make sure the same groups you have in Azure AD exist as well with the exact same name in Prisma Cloud as roles. This configuration relies on assigning a role called exactly the same way as the attribute coming in the SAML response. Following the above name convention as an example, the roles could be like these ones:



Figure 12: Access Control_palo-alto-networks  


Azure Enterprise App Groups



Figure 13: Users and groups_palo-alto-networks  


  1. With this configuration, whenever a user is a member of one or multiple Azure AD groups whose name is a Prisma Cloud role, the user will have that role(s) assigned. 


Ex. When a user from Groups PrismaCloud_role_system_admin logs into PrismaCloud, by default he would see the System Admin role assigned under Active Role.



Figure 14: Urgent Risks and Incidents_palo-alto-networks  


SAML Validation



Figure 15: SAML Validation_palo-alto-networks  




Once you have successfully integrated using JIT and Azure AD, SSO will enable your users to be automatically signed-in to Prisma Cloud SSO with their Azure AD accounts or Groups assigned to the application using Cloud Only DisplayNames.  


The two or more SSO bypass users will be the users responsible for updating the SAML certificate when the certificate is expiring.  




Set up Azure AD SSO on Prisma Cloud


Azure SSO Group Claims


About the Author


Srikanth Makineni is a Customer Success consultant specializing in Cloud Security Posture Management, Azure, AWS, GCP, containers and Kubernetes. Srikanth uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage his multi-industry knowledge to inspire success.

Rate this article:
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎09-19-2023 09:46 AM
Updated by: