Prisma Cloud: OIDC SSO Setup on Azure AD

Please reference this article if you would like to setup OIDC SSO with Azure AD in Prisma Cloud(CSPM).

• Prisma Cloud
• Azure AD

The first thing that will need to be done will be to navigate to the Azure Portal and select Enterprise Applications:


After clicking on Enterprise Applications you will want to navigate to All applications and then click on New application:


After clicking on New application , you will want to click on Create your own application which should be at the top left of your browser page:


After clicking on Create your own application we will then need to give a name to the application and select Integrate any other application you don't find in the gallery (Non-gallery) and finally click on the Create button at the bottom of the pan out.

Another thing we will need to do is add any users to be assigned to the application we created. We can do that by staying in Enterprise Applications and selecting Users and groups under Manage on the left.

Once all that is complete we will need to now navigate to App registrations and find the OIDC application that we've just created in the previous steps:


After clicking on the OIDC app under App registrations , we will need to navigate to Certificates & secrets under Manage and create a New client secret:


After adding the New client secret with personal desired values for description and expiration , we will need to copy and save the value into a safe location as we will use it later.

After saving the New client secret somewhere , we will need to stay in App registrations and navigate to Overview and Add a couple Redirect URI's:


We will be able to obtain these Redirect URI's from the Prisma Cloud SaaS UI -> Settings -> Access Control -> SSO -> OIDC as seen below:


Once you have those two values , please add them to the Redirect URI's in Azure AD under App registrations. To do this successfully we will need to click on Add a platform and select Web. You can paste the first one you copy directly following selecting of Web and then add the second one under Add URI under Web Redirect URIs:


After adding in the URIs , we will need to click on Endpoints towards the top of the screen and from Endpoints we will need to copy the OpenID Connect metadata document and paste it into the URL of a new tab:


Once pasted into the URL of a new tab , we should copy the whole page and then paste it into a JSON formatter to make the values we need more visible.

Once we do the above , we can now navigate to Prisma Cloud -> Settings -> Access Control -> SSO -> OIDC and start filling in the needed values.

We will need to first fill in the Client ID which is the Application ID of the app we created. And the client secret we can get from when we stored it in a previous step of this document.

Then to fill in the Issuer , Authorization Endpoint , jwks_uri , and Token Endpoint , we will get those values from the OpenID Connect metadata document that we pasted into a JSON formatter above.



Once all that is done we can navigate , to our prisma cloud login page and select sign in with SSO and it should work: