My URL getting replaced by spn

Question

My URL getting replaced by spn

Calvin Rahmat 0

I'm trying to integrate SSO Entra ID with prisma cloud but I found this error. I've followed the guide but I still got this problem. Any Idea what's causing this error? any solution to fix this? Screenshot_2 Screenshot 2025-04-25 at 15.15.59

Sidney Murciano 5

Hi Calvin Rahmat!

Thanks for sharing the screenshot of your SAML configuration for the Prisma Cloud integration with Entra ID (Azure AD). The setup seems mostly correct, but since you're encountering an error, let's go through common causes and solutions based on what I can see:

✅ Your Current Configuration:

Identifier (Entity ID): https://app.sg.prismacloud.io/customer/b0273292d209322d27e4c3e667354636

Reply URL (ACS URL): https://api.sg.prismacloud.io/saml

Attributes & Claims:

givenname → user.givenname

surname → user.surname

emailaddress → user.mail

name → user.userprincipalname

Unique User Identifier → user.userprincipalname

🔍 Common Issues to Check:

Missing Required Attributes: Prisma Cloud requires specific SAML attributes to be sent. The key ones are:

firstName

  `lastName`
  
     `email`
     
        `nameID` (typically `user.userprincipalname`)
        
        → **Solution:** Make sure your attributes are renamed as expected by Prisma Cloud. You might need to **edit the claim names** to match the expected format.
        
        **Incorrect NameID Format:** The NameID (Unique User Identifier) should typically be in **email format** and **match the user record** in Prisma Cloud.
        
        → **Solution:** Go to the SAML settings and ensure that:
        
           NameID format is set to `EmailAddress`
           
              Source attribute is `user.mail` or `user.userprincipalname` if it is an email
              
              **User Not Found or Provisioned in Prisma Cloud:** If the SSO user doesn't exist in Prisma Cloud or the email doesn't match, the login will fail.
              
              → **Solution:** Log in to Prisma Cloud as an admin and check if the user you're testing with exists and has the **same email/userPrincipalName** as in Entra ID.
              
              **Region Mismatch:** You are using the **Singapore (SG)** endpoint in your URLs. Make sure this matches the tenant region where your Prisma Cloud account resides.
              
              → **Solution:** Double-check your Prisma Cloud instance URL and make sure it matches what's configured in the SAML settings.
              
              **Clock Skew or Token Issues:** Rare, but sometimes authentication fails due to time drift between Azure and Prisma Cloud.
              
              → **Solution:** Ensure both systems have synchronized time (via NTP).

🛠 Suggested Fixes:

Go to Azure AD > Enterprise Applications > [Your App] > Single Sign-On > Attributes & Claims

Edit each claim and:

Rename them to exactly what Prisma expects (firstName, lastName, email)

  Ensure `user.mail` is set as the NameID
  
  Optionally, refer to the official Palo Alto SAML doc for Prisma Cloud (they usually specify exact claim mappings): 🔗 Prisma Cloud SSO Docs

If you can also share the exact error message you're receiving (e.g., “invalid assertion,” “user not found,” etc.), I can help even more precisely!Thanks for sharing the screenshot of your SAML configuration for the Prisma Cloud integration with Entra ID (Azure AD). The setup seems mostly correct, but since you're encountering an error, let's go through common causes and solutions based on what I can see:

✅ Your Current Configuration:

Identifier (Entity ID):
https://app.sg.prismacloud.io/customer/b0273292d209322d27e4c3e667354636

Reply URL (ACS URL):
https://api.sg.prismacloud.io/saml

Attributes & Claims:

givenname → user.givenname

surname → user.surname

emailaddress → user.mail

name → user.userprincipalname

Unique User Identifier → user.userprincipalname

🔍 Common Issues to Check:

Missing Required Attributes: Prisma Cloud requires specific SAML attributes to be sent. The key ones are:

firstName

  `lastName`
  
     `email`
     
        `nameID` (typically `user.userprincipalname`)
        
        → **Solution:** Make sure your attributes are renamed as expected by Prisma Cloud. You might need to **edit the claim names** to match the expected format.
        
        **Incorrect NameID Format:** The NameID (Unique User Identifier) should typically be in **email format** and **match the user record** in Prisma Cloud.
        
        → **Solution:** Go to the SAML settings and ensure that:
        
           NameID format is set to `EmailAddress`
           
              Source attribute is `user.mail` or `user.userprincipalname` if it is an email
              
              **User Not Found or Provisioned in Prisma Cloud:** If the SSO user doesn't exist in Prisma Cloud or the email doesn't match, the login will fail.
              
              → **Solution:** Log in to Prisma Cloud as an admin and check if the user you're testing with exists and has the **same email/userPrincipalName** as in Entra ID.
              
              **Region Mismatch:** You are using the **Singapore (SG)** endpoint in your URLs. Make sure this matches the tenant region where your Prisma Cloud account resides.
              
              → **Solution:** Double-check your Prisma Cloud instance URL and make sure it matches what's configured in the SAML settings.
              
              **Clock Skew or Token Issues:** Rare, but sometimes authentication fails due to time drift between Azure and Prisma Cloud.
              
              → **Solution:** Ensure both systems have synchronized time (via NTP).

🛠 Suggested Fixes:

Go to Azure AD > Enterprise Applications > [Your App] > Single Sign-On > Attributes & Claims

Edit each claim and:

Rename them to exactly what Prisma expects (firstName, lastName, email)

  Ensure `user.mail` is set as the NameID
  
  Optionally, refer to the official Palo Alto SAML doc for Prisma Cloud (they usually specify exact claim mappings): 🔗 Prisma Cloud SSO Docs

If you can also share the exact error message you're receiving (e.g., “invalid assertion,” “user not found,” etc.), I can help even more precisely!

Calvin Rahmat 0 Reputation points

2025-04-26T04:03:09.61+00:00

Hi Sidney Murciano,

Thanks for you reply. I think the problem is not in the Attributes & Claims. I also have another environment that's successfully integrated with prisma cloud. The difference is only the Entity ID.

1 answer

Your answer

Calvin Rahmat 0 Reputation points

2025-04-26T04:03:09.61+00:00

Hi Sidney Murciano,

Thanks for you reply. I think the problem is not in the Attributes & Claims. I also have another environment that's successfully integrated with prisma cloud. The difference is only the Entity ID.

Answer 1

Vigneshwar Duvva 795 Microsoft External Staff Moderator

Hello Calvin Rahmat

Basically, the issue will be resolved after client set Identifier (Entity ID) field to default. Since it was not set to default, the SAML response was passing a UPN associated with the entity.

And also Check in the Expose an API in App Registration add Application ID URI :

User's image

I hope you have followed the below documentation for SSO Configuration
https://learn.microsoft.com/en-us/entra/identity/saas-apps/prisma-cloud-tutorial?source=recommendations

Share via

My URL getting replaced by spn

1 answer

Your answer