How to Set up PingIdentity/Ping Federated Identity/PingOne SSO on Prisma Cloud
Objective
- Configure PingIdentity SSO on Prisma Cloud without Just in Time Provisioning (JIT).
- Configure PingIdentity SSO on Prisma Cloud with Just in Time Provisioning (JIT) with single/multi role.
Environment
- Prisma Cloud
- PingIdentity
Procedure
Setup PingIdentity for SSO
1. Log in to PingIdentity console > Add Environment
2. Select Environment > Next
3. Select Next
4. Type Environment Name > Finish
5. Click on Connections
6. Create a new Application by clicking on +
7. Select an application type > Configure
8. Type Application Name "Prisma Cloud SSO" > Next
9. Select 'Manually Enter'. To Configure SAML Connection, specify the ACS URLS.
Note: The format for ACS URLS uses the URL for Prisma Cloud, but you must replace app with api and add saml at the end. For example, if you access Prisma Cloud at https://app2.prismacloud.io, your Sign-On URL should be https://api2.prismacloud.io/saml and if it is https://app.eu.prismacloud.io, it should be https://api.eu.prismacloud.io/saml
10. For ENTITY ID - copy Audience URI (SP Entity ID) from Prisma Cloud Console > Settings > SSO and paste it here.
11. Download Signing Certificate. Make sure IdP Certificate is in the standard X.509 format.
12. Map Attribute saml_subject > Email Address and click on Save and Close
13. Enable Prisma Cloud SSO application. Copy Issuer ID we'll use it in Prisma Cloud > Settings > SSO
14. Select Identities > Users > Add User
15. Following Users details should be the same on Prisma Cloud
- GIVEN NAME
- FAMILY NAME
- EMAIL ADDRESS
- USERNAME (Note: Enter email in USERNAME)
16. (Optional) Just in Time (JIT) Provisioning (16 to 21 are only for JIT)
- Click on Identities > Groups > Add Group
17. Create at least two Groups for multi roles
- System Admin
- Auditor
Note: Make sure to have same roles in Prisma Cloud > Settings > Roles
18. Single Role:
Select System Admin > Select Users > Add Users Manually > Click on + sign to add a user to System Admin Group >Save
19. (Optional) Muti Role:
Select Auditor > Select Users > Add Users Manually > Click on + sign to add a user to Auditor Group >Save
20. Go to Connections >Application > Select Prisma Cloud SSO application > Attribute Mappings > Edit
21. Add Attributes
- First Name
- Last Name
- Role
STEP 2 >> Configure SSO on Prisma Cloud.
1. Log in to Prisma Cloud and select Settings > Users > Add New > Save
2. Select Settings > SSO.
3. Enter the value for your Identity Provider Issuer from above STEP 1 >> 13 > Issuer ID.
4. (Optional) Enter the Identity Provider Logout URL to which a user is redirected to, when Prisma Cloud times out or when the user logs out.
5. Enter your IdP Certificate in the standard X.509 format.
Just copy and paste this from your IdP downloaded certificate.
6. Select Allow select users to authenticate directly with Prisma Cloud to configure some users to access Prisma Cloud directly using their email address and password registered with Prisma Cloud, in addition to logging in via the SSO provider.
Before enabling SSO, make sure to select a few users who can also access Prisma Cloud directly using the email and password that is registered locally on Prisma Cloud to ensure that you are not locked out of the console in the event you have misconfigured SSO and need to modify the IdP settings. For accessing data through APIs, you need to authenticate directly to Prisma Cloud.
7. Select the Users who can access Prisma Cloud either using local authentication credentials on Prisma Cloud or using SSO.
8. Click on the toggle button to Turn ON "Allow select users to authenticate directly with Prisma Cloud" Setting
- Save your changes.
9. (Optional) Just in Time (JIT) Provisioning
We create two roles to demonstrate multi roles.
Under Settings > Roles > Add Roles
- System Admin
- Auditor
10. (Optional) Just in Time (JIT) Provisioning
- Role
- First Name
- Last Name
11. Enable SSO and Save again.
12. Verify access using SSO.
- Copy Initiate Single Sign-On URL from PingIdentity Application