How to setup Azure AD SSO Just in Time Provisioning (JIT) with Prisma Cloud

How to setup Azure AD SSO Just in Time Provisioning (JIT) with Prisma Cloud

30690
Created On 07/20/20 05:24 AM - Last Modified 02/17/21 22:21 PM


Objective


This document can be used to configure Azure Active Directory SSO Just in Time Provisioning (JIT) with Prisma Cloud.
 

Environment


  • Prisma Cloud.
  • Azure Active Directory Single Sign-ON JIT Provisioning

Procedure


Reference Article: Prisma Cloud Tutorial
The above article can be used to configure Azure AD SSO with Prisma Cloud. For 'Just in Time Provisioning' configuration, the following additional steps are required.

  1. In the Azure portal, select Enterprise Applications ----- All applications. select Prisma Cloud SSO
  2. Select Set up Single Sign-On with SAML ----- Edit User Attributes & Claims.
  3. Add the following Claims and their respective values.

Required Claim:

  • Unique User Identifier (Name ID) ------ user.mail
  • Claim Name (As displayed in Azure Enterprise Applications > Prisma Cloud SSO > Single Sign-On)

Additional Claims:

  • Last Name ----- user.surname
  • Email ------ user.userprincipalname
  • First Name ------ user.givenname
  • Role ------ user.jobtitle
Note:
  • Make sure Claim Names match exactly the same as configured in Prisma Cloud under Settings > SSO > Just In Time (JIT) Provisioning.
  • Azure does not have any specific field to pass the value of the role, hence we are using 'job.title' to pass the value of the role to Prisma cloud.
 

User-added image

User-added image

     4. On Azure Portal, Under Users and Groups, click on the user-created (for e.g. B.Simon in the below screenshot)
     5. Edit Job Info and put the value 'SSO_Access'. (This is the same value configured under Settings  > Roles > Add New Role on Prisma cloud. (Refer to screenshot below)

User-added image

 

User-added image

 

User-added image

 

User-added image

     6. On Prisma Cloud Tenant, paste the value of 'Azure AD Identifier' under 'Set up Prisma Cloud SSO' from Azure Portal to Identity Provider Issuer. 
     7. Download the certificate from Azure Portal and paste it on Prisma Cloud in 'Certificate'.

User-added image
User-added image
  • It is highly recommended to exclude atleast one user account in 'Allow select users to authenticate directly with Prisma Cloud'. In case of any misconfig, this user will be able to login to the tenant and reset any settings if needed.
User-added image

    8. Finally to test the SSO with Prisma Cloud Click on 'Test' and login to the tenant with 'username/password' created in Azure Portal.
User-added image

Additional Information


You can pass upto 5 different Prisma Cloud roles for an user.  The 1st one entered in the SAML assertion is marked as default. User when logging into Prisma Cloud will be assigned the default role, and can change once logged in.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UuxCAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language