Jeroen Tielen

-={ The Nutanix and Citrix GURU }=-

Single Sign On Nutanix Prism Central

Nutanix
JeroenLeave a Comment on Single Sign On Nutanix Prism Central

This blogpost will explain how-to setup Prism Central (2023.4) to use SAML against Microsoft Entra ID (Azure AD) so we can use Sigle Sign On.

First we start with the authentication methods most of the time useD in Prism Central:

  1. Local Accounts;
    • The Admin account or own created normal accounts. Please try to avoid this;
  2. Active Directory;
    • AD User Groups have a role assign in the cluster so they can do admin tasks;
    • This is a preferred method as all tasks can be pinpointed back to the actual user who did it 😉
Different methods to authenticate against Prism Central

Now lets connect Prism Central again Microsoft Entra to have SSO capabilities.

In Prism Central go to IAM in Admin Center and select: Authentication under Settings.

Click on “Download Metadata”

Now head over to Microsoft Entra ID and open pane “Enterprise Applications”. Click on: New Application.

Click “Create Own Application” and full out as described in the screenshot below:

When the custom application is created open “Assign Users and Groups”

Add the groups you want to add (the users in this group can login into Prism Central). When done click on : Single sign-on and then on SAML.

Upload the downloaded metadata file.

When the metadata is uploaded click on save.

Scroll down to number 3 and download the Federation Metadata XML

Go back to Prism Central IAM –> Settings –> Authentication and click on “+ New IDP”

Give the configuration a name and click on “+ Import Metadata”. Upload the metadata file downloaded from the Enterprise App create above. Don’t forget to click save.

It should look like this:

Next step is to create the role mapping.

Click add role mapping and fill in as below (use your own UPN of course):

After clicking save you can logout of Prism Central. The login screen will look like this:

Login with Entra ID will use the new SAML connection.

As my management workstation is azure AD joined I will automatically login with my user account into Prism Central when I click the “Log in with Microsoft Entra ID” button. Here video how the SSO will work. (Keep in mind, my workstation is Entra ID joined, so I’m already authenticated against Entra ID)

Unfortunately we cannot add a user group for the role mapping. So each and every admin must be added in the rol mapping screen. (Or go all out and create custom claims in Entra ID and create role mappings based on the claims names. But this will not log the username in the audits from Prism Central)

For now all is working but if you want you can finetune the configuration a bit more. In the SAML assertion there are multiple claims. Prism Central is only looking for the name identifier. So we can remove all, unused, claims in the enterprise app.

When you configure conditional access on the enterprise app you can filter even more when users are allowed to logon.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top