This blogpost will explain how-to setup Prism Central (2023.4) to use SAML against Microsoft Entra ID (Azure AD) so we can use Sigle Sign On.
First we start with the authentication methods most of the time useD in Prism Central:
- Local Accounts;
- The Admin account or own created normal accounts. Please try to avoid this;
- Active Directory;
- AD User Groups have a role assign in the cluster so they can do admin tasks;
- This is a preferred method as all tasks can be pinpointed back to the actual user who did it 😉
Now lets connect Prism Central again Microsoft Entra to have SSO capabilities.
In Prism Central go to IAM in Admin Center and select: Authentication under Settings.
Click on “Download Metadata”
Now head over to Microsoft Entra ID and open pane “Enterprise Applications”. Click on: New Application.
Click “Create Own Application” and full out as described in the screenshot below:
When the custom application is created open “Assign Users and Groups”
Add the groups you want to add (the users in this group can login into Prism Central). When done click on : Single sign-on and then on SAML.
Upload the downloaded metadata file.
When the metadata is uploaded click on save.
Scroll down to number 3 and download the Federation Metadata XML
Go back to Prism Central IAM –> Settings –> Authentication and click on “+ New IDP”
Give the configuration a name and click on “+ Import Metadata”. Upload the metadata file downloaded from the Enterprise App create above. Don’t forget to click save.
It should look like this:
Next step is to create the role mapping.
Click add role mapping and fill in as below (use your own UPN of course):
After clicking save you can logout of Prism Central. The login screen will look like this:
As my management workstation is azure AD joined I will automatically login with my user account into Prism Central when I click the “Log in with Microsoft Entra ID” button. Here video how the SSO will work. (Keep in mind, my workstation is Entra ID joined, so I’m already authenticated against Entra ID)
Unfortunately we cannot add a user group for the role mapping. So each and every admin must be added in the rol mapping screen. (Or go all out and create custom claims in Entra ID and create role mappings based on the claims names. But this will not log the username in the audits from Prism Central)
For now all is working but if you want you can finetune the configuration a bit more. In the SAML assertion there are multiple claims. Prism Central is only looking for the name identifier. So we can remove all, unused, claims in the enterprise app.
When you configure conditional access on the enterprise app you can filter even more when users are allowed to logon.