Prisma Cloud: Enable more roles for JIT in Okta SSO
333
Created On 05/16/23 16:15 PM - Last Modified 10/02/25 12:41 PM
Objective
How to enable more default roles for JIT in Okta SSO.
Currently, the JIT configuration in Prisma Cloud is as follows:
Email Address email Role role First Name firstname Last Name lastname
Environment
- Prisma Cloud
- Okta SSO with JIT provisioning (Just in time)
Procedure
You can work with their Okta support to implement this, Prisma Cloud does it for our own tenants internally, so I can 100% confirm it works correctly with okta. Configure Okta to send multi-valued roles based on group membership: This needs the Okta feature enabled on the tenant. If the below is not working, please work with Okta Support to enable the feature "SAML_SUPPORT_ARRAY_ATTRIBUTES"
Sample configuration: This converts the comma separated string into multi-valued attribute (this passed them as different attribute values, NOT Comma:
Arrays.flatten(isMemberOfGroupName("group_1") ? "group_1,Read Only" : isMemberOfGroupName("group_2")? "group_2,Read Only": "Read Only")
Ex. Okta attributes are:
Name Name Format Value email Unspecified user.email role Unspecified Default - Read-Only firstname Unspecified user.firstName lastname Unspecified user.lastName
Additional Information
Click here to view on documentation on Okta Integration.