12-14-2023 04:52 AM - edited 12-14-2023 04:52 AM
I'm trying to configure our Prisma Cloud tenant to use OIDC SSO authentication. We're using Microsoft Entra ID (formerly Azure AD) as the identity provider. As far as I can say the flow works as expected going to Azure. I get transferred to our Microsoft tenant for login against our own AD, I authenticate my user, and then I'm redirected back to the callback URL that is shown in the Prisma Cloud SSO configuration window. However, instead of being logged in to Prisma Cloud I get an error:
{"timestamp":"2023-12-14T12:19:22.961209Z","status":401,"error":"An error occurred while attempting to decode the Jwt: The ID Token contains invalid claims: {aud=[redacted-client-id]}","message":"bad_request","path":"GET:/authn/api/v1/oauth2/callback/<our-callback-uid>"}
redacted-client-id = the Client ID that I've configured in Prisma Cloud. The value in the error message matches the client id from the App registration in Azure, and also the value for Client id configured in Prisma Cloud. I've checked this several times, and also tested that the value has an effect by intentionally configuring the wrong client id in Prisma Cloud. In that case Azure complains immediately. So as far as I can tell the aud claim value should be correct. Anyone have any suggestions as to what could be going wrong here?
I've tried following the instructions here: https://docs.prismacloud.io/en/enterprise-edition/content-collections/administration/setup-sso-integ... but they are not very detailed in regards to what possibly has to be taken into account on the Azure side of things.
