Prisma Cloud: OIDC SSO Setup on Okta

Prisma Cloud: OIDC SSO Setup on Okta

1924
Created On 10/31/24 04:50 AM - Last Modified 08/18/25 15:34 PM


Objective


Please reference this article if you would like to setup OIDC SSO with Okta in Prisma Cloud(CSMP).

Environment


  • Prisma Cloud
  • Okta

Procedure


The first step is to navigate to the Okta Portal, I created my 30 day trial account here: okta.com/free-trial/ 

 

After creating your account on Okta, navigate to Applications --> 'Create App Integration':

 

Choose the following options: 

  • Sign-in Method = 'OIDC - OpenID Connect'
  • Application type = 'Web Application

 

For the next step gather the 'Callback URL' and 'Authentication URL' from Prisma Cloud > Settings > Access Control > SSO > OIDC:

 

Now back to the Okta app:

  • Add an App integration name
  • Check Grant type, 'Client Credentials' option
  • Add the Callback URL and Authentication URL from Prisma Cloud to 'Sign-in redirect URIs'
  • In the Assignments sections for Controlled access, select the 'Allow everyone in your organization to access' option
  • Save the App

 

Now we will 'Edit' the App's General Settings to add 'Initiate login URI' ( Authentication URL from Prisma) and 'Callback URI' (Callback URL from Prisma) and finally save:

 

Your App on Okta should look something like this:

 

(Optional) You can add more users to your Okta by navigating to 'Directory' > 'People' > 'Add Person':

 

This concludes the setup on Okta. Next, we head back to Prisma to set up OIDC settings.

Prisma Cloud > Settings > Access Control > SSO > OIDC:

  • Enable OIDC
  • Copy and paste the 'Client ID' from Okta into Prisma 'Client ID' field
  • Copy and paste the 'Client Secrets' from Okta into Prisma 'Client Secret' field

 

Next, we will grab our base URL for our Okta tenant from your user drop-down as depicted here:

 

Once we have this base URL we will create our Endpoints for Prisma OIDC setup.

  • Endpoint Issuer = https://<okta tenant>/.well-known/openid-configuration
  • Authorization Endpoint = https://<okta tenant>/oauth2/v1/authorize
  • JWK Set Endpoint = https://<okta tenant>/oauth2/v1/keys
  • Token Endpoint = https://<okta tenant>/oauth2/v1/token

Save these settings to finish the OIDC setup.

 

Test by navigating to the Prisma cloud login page and select sign in with SSO:

 

 

Additional Information


With SP-Initiated OIDC SSO enabled, users can only access this Prisma Cloud console via the “Sign in with SSO” link on the login page.

Prisma Cloud documentation to setup OIDC with Okta
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000PQnqCAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language