Prisma Cloud: How to get Google SSO with JIT working.

Enabling Google SSO (Single Sign-On) with Just-In-Time (JIT) provisioning for Prisma Cloud would have the objective of improving the user authentication and authorization experience for users accessing Prisma Cloud.

With SSO, users can log in to Prisma Cloud using their existing Google credentials, which simplifies the login process and reduces the need for users to remember multiple usernames and passwords. This can increase user adoption and satisfaction with the product.

JIT provisioning takes this one step further by automatically creating user accounts in Prisma Cloud when a user logs in with their Google credentials for the first time. This saves time for administrators who would otherwise have to manually create user accounts, and ensures that user access is tightly controlled and audited.

Overall, enabling Google SSO with JIT for Prisma Cloud can increase security, streamline user access, and improve the overall user experience.

• Prisma Cloud
• Google Admin Console

1. First thing you will need to do is log into Prisma Cloud and navigate to Settings -> Access Control -> SSO and then copy the Audience URI (SP Entity ID). It should look something like the following:
2. Then you will need to log into admin.google.com as a Super Administrator and navigate to Apps -> Web and mobile Apps and select Add App -> Add Customer SAML App:
   
3. Enter a name for the application and then click next. Then you will see a page with information such as SSO URL , Entity ID and Certificate. You can simply click continue because we will be able to reference this data in the future. Once you do that you will be navigated to a page that looks like the following:
   
4. ACS URL
   —Enter your Prisma Cloud URL, however, replace app with api and add saml at the end. For example, if you access Prisma Cloud at https://app2.prismacloud.io, enter https://api2.prismacloud.io/saml.
5. Entity ID
   —Enter the Audience URI (SP Entity ID) value you copied in Step 1 above.
6. Leave everything else as is a click continue. On the next page you will be met with the option to add mappings which we will use to get JIT working. However, for now click finish as we will come back to this.
7. Now that we have our SSO App setup , we will need to click on DOWNLOAD METADATA  and copy the Entity ID from Option 2:
   
   
8. And copy the certificate as well because we will need that for Prisma Cloud SSO.
   Next we need to navigate to Prisma Cloud -> Settings -> Access Control -> SSO and paste the Entity ID that we copied in the Identity Provider Issuer section:
   
   Also be sure to paste the certificate as well.
   
   After all that is complete , Google SSO without JIT should be functional if you want to enable SSO and test at this point. Please be sure to add at least two people to the Direct User Authentication incase you get locked out. 
   
   9. Now we will continue to get JIT working as well. The first thing you will need to do is to create a custom role in Google that will be used as a Prisma Cloud role. In the Google Admin Console , please navigate to Directory -> Users -> More Options -> Manage Custom Attributes -> Add Customer Attribute. 
   
   You will need to enter in a Category and for the Custom fields it should look something like the following:
   
   
   10. Now that we have created a custom attribute we will need to navigate to Apps -> Web and Mobile Apps -> <Your Prisma SSO App> -> SAML attribute mapping and make the following mappings:
   
   
   11. Last thing you will need to do in the Google Admin Console will be to Navigate to Directory -> Users -> < Any user you want to be able to utilize JIT > 
   
   12. Then under the User Information drop down , Find Prisma Specific Roles , click the edit pencil , and add the role as it is in Prisma Cloud , in my example my Prisma Cloud Role is pc-role so I will add that here:
   
   13. Finally , the last thing you will need to do is navigate to Prisma Cloud -> Access Control -> SSO and enable JIT and add the following attributes according to the SAML attribute mapping above:
   
   
   14. Now SSO with JIT should be functional. You can navigate to Google Admin Console -> Web and mobile apps -> < Prisma Cloud SSO App > -> TEST SAML LOGIN: