--- title: Configuring Palo Alto Authentication Portal for PingID description: Palo Alto Networks Next-Generation Firewall (NGFW) Authentication Policy enables you to authenticate end users before they can access services and applications. component: pingid page_id: pingid:pingid_integrations:pid_configuring_palo_alto_authentication_portal canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_configuring_palo_alto_authentication_portal.html revdate: January 28, 2024 section_ids: overview: Overview processing-steps: Processing steps preparing-for-configuration: Preparing for configuration steps: Steps adding-pingid-for-mfa: Adding PingID for MFA steps-2: Steps result: Result: result-2: Result: configuring-an-authentication-profile-for-mfa: Configuring an authentication profile for MFA steps-3: Steps configuring-authentication-enforcement: Configuring authentication enforcement steps-4: Steps next-steps: Next steps configuring-authentication-policy: Configuring authentication policy steps-5: Steps result-3: Result: next-steps-2: Next steps enabling-the-authentication-portal: Enabling the authentication portal steps-6: Steps result-4: Result: checking-that-response-pages-are-enabled: Checking that response pages are enabled before-you-begin: Before you begin steps-7: Steps next-steps-creating-security-policy: "Next steps: Creating security policy" --- # Configuring Palo Alto Authentication Portal for PingID Palo Alto Networks Next-Generation Firewall (NGFW) Authentication Policy enables you to authenticate end users before they can access services and applications. ## Overview When a user requests a service or application, such as by visiting a web page, the firewall evaluates the authentication policy. Based on the matching authentication policy rule, the firewall then prompts the user to authenticate using one or more methods (factors). After the user authenticates for all factors, the firewall evaluates the [Security Policy](https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/policy/security-policy.html) to determine whether to allow access to the service or application. To use multi-factor authentication (MFA) for protecting sensitive services and applications, you must configure an authentication policy to display a web form for the first authentication factor. For more information, see [Multi-Factor Authentication](https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure-multi-factor-authentication.html). To facilitate MFA notifications for client-server applications (such as Perforce) on Windows or macOS endpoints, a VPN tunnel established through the GlobalProtect Client is required. When a session matches an authentication policy rule, the firewall sends a UDP notification to the GlobalProtect Client with an embedded URL link to the authentication portal page. The GlobalProtect Client then displays this message as a popup notification to the user. ![A flowchart showing a typical MFA authentication using Palo Alto NGFW.](_images/lan1579198216744.png) ## Processing steps Users generate traffic to a service or application, which triggers the authentication process as shown in the following figure. A user wishes to access a service or application protected by an authentication policy. The authentication portal located on NGFW requires a username and password. 1. The user's credentials are validated against LDAP or another authentication server type. 2. After the user submits credentials, the authentication server sends additional user data with its successful authentication message back to the authentication portal. 3. The authentication portal initiates MFA through PingID. ![A screen capture of the Palo Alto authentication portal.](_images/qvx1579197451734.png)![A screen capture of a GlobalProtect alert that notifies the user that additional information is required. The message says, "You have attempted to access a protected resource that requires additional authentication. Proceed to authenticate: https://mfa.acme.local:6081/php/uid.php?vsys-1\&rule=0."](_images/dnl1579198991029.png) | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can achieve the same workflow for client-server applications also. For more information, see [Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications](https://docs.paloaltonetworks.com/globalprotect/9-0/globalprotect-admin/authentication/configure-globalprotect-to-facilitate-multi-factor-authentication-notifications.html).The following configuration steps only describe authentication for a browser-based application using the authentication portal. | 4. PingID pushes an authentication request to the user's selected authentication method, such as mobile phone, email, or desktop application. 5. The user completes the authentication request. 6. PingID sends the authentication result to the authentication portal. 7. The authentication portal allows access to requested service | | | | - | -------------------------------------------------------- | | | In what follows, NGFW stands for New Generation Firewall | The following topics show how to secure an authentication portal sign-on with PingID. The example will add an LDAP and MFA authentication profile. ## Preparing for configuration ### Steps 1. In PingOne, download the PingID properties file. For more information, see [PingFederate](pid_pf.html). 2. In the Palo Alto NGFW admin portal, create a certificate profile for PingID. 1. Go to **Device → Certificate Management → Certificate Profile → Add**. 2. Create the certificate profile for PingID. For more information, see [Configure a Certificate Profile](https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/certificate-management/configure-a-certificate-profile) in the Palo Alto documentation. ## Adding PingID for MFA ### Steps 1. In the NGFW admin portal, click the **Device** tab, and then go to **Server Profiles → Multi Factor Authentication**. 2. Click **+Add**. #### Result: The **Multi Factor Authentication Server Profile** window appears. ![A screen capture of the Multi Factor Authentication Server Profile window. In this screen capture, the Profile Name field says, "PingID". The Certificate Profile drop-down list shows three options: PingID-cert-profile, vm-series-cert-profile, and New Certificate Profile. PingID-cert-profile is selected.](_images/dht1568630937029.png) 3. In the **Profile Name** field, enter a name for the profile. We will use **PingID**. 4. From the **Certificate Profile** list, select the certificate profile that you previously created. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you have not yet created a certificate profile for PingID, see [Configure a Certificate Profile](https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/certificate-management/configure-a-certificate-profile) in the Palo Alto documentation. | 5. From the **MFA Vendor** list, select **PingID**. #### Result: Several fields populate automatically. ![A screen capture of the Multi Factor Authentication Server Profile window, showing populated fields in the Server Settings section with MFA Vendor PingID selected. The populated fields are Base URI, Host name, and Timeout (sec).](_images/jfb1567510659530.png) 6. From the PingID properties file, complete the three fields listed in the following table. The relationships between the PingID properties fields and the fields listed in the **Multi Factor Authentication Server Profile** window are described in the following table. | Display Name | Certificate Field | Illustrative value | | --------------------------------- | ----------------- | -------------------------------------------- | | **Use Base64 Key** | `use_base64_key` | APixxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7ct4z7LOM= | | **Token** | `token` | c85cxxxxxxxxxxxxxxxxxxxxxxxxx4c1 | | **PingID Client Organization ID** | `Org_alias` | faxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx779 | 7. Ensure that the **Use Base64 Key**, **Token**, and **PingID Client Organization ID** fields are populated, and then click **OK**. ![A screen capture of the Multi Factor Authentication Server Profile window with all fields populated.](_images/ofi1567517453593.png) ## Configuring an authentication profile for MFA ### Steps 1. In the Palo Alto NGFW admin portal, go to **Device → Authentication Profile**, and then click **Add**. 2. In the **Name** field, enter a name for the profile. 3. From the **Type** list, select **LDAP**. ![An screen capture of the Authentication Profile window, on the Authentication tab. In this screen capture, the Name field is populated with the name LDAP with PingID. The Type list shows LDAP as selected](_images/def1567585132850.png) 4. Go to the **Factors** tab and check **Enable Additional Authentication Factors**. ![An image capture of the Authentication Profile window, on the Factors tab. The Enable Additional Authentication Factors check box is selected. There is a list of available factors after the check box to use only for Authentication Policy. At the bottom of the list is the Add plus sign button.](_images/jpc1567587103626.png) 5. Click **Add**, and then select **PingID**. 6. Go to the **Advanced** tab, and in the **Allow List** section, click **Add** and select the relevant groups or users. In this example, we chose **all**. ![An image capture of the Authentication Profile window, on the Advanced tab. The Allow List is shown with the option for all.](_images/xwk1567589832636.png) 7. **Optional:** Change the **Failed Attempts** and **Lockout Time** fields. 8. Click **OK**. ## Configuring authentication enforcement Create authentication enforcement to protect service and apps with the authentication portal. ### Steps 1. In the Palo Alto NGFW admin portal, go to **Objects → Authentication**, and then click **Add**. 2. In the **Name** field, enter a name for the authentication profile. 3. From the **Authentication Method** list, select **web-form**. | | | | - | --------------------------------------------------------------------------------------------------------------------- | | | This example configures authentication to a browser-based application using the authentication portal (**web-form**). | 4. From the **Authentication Profile** list, select the appropriate certificate profile. For more information, see [Preparing for configuration](pid_preparing_for_configuration.html). 5. **Optional:** In the **Message** field, enter an instructional message for the user. ![A screen capture of the Authentication Enforcement window. This screen capture shows the name PingID Enforcement, Authentication Method web-form, Authentication Profile LDAP\_and\_MFA, and the Message field set with reminder text: This is a customizable authentication message shown to the user to allow customers to provide authentication instructions based on the authentication rule in effect.](_images/rof1567598088705.png) 6. Click **OK**. ### Next steps For more information, see [Authentication Enforcement](https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-authentication) in the Palo Alto documentation. ## Configuring authentication policy Create an authentication policy rule to protect chosen services or apps with the authentication portal. ### Steps 1. In the Palo Alto NGFW admin portal, go to **Policies → Authentication**, and then click **Add**. #### Result: The **Authentication Policy Rule** window is displayed. ![A screen capture of the Authentication Policy Rule window on the General tab showing the fields for Name, Description, Tags, Group Rules by Tag, and Audit Comment. There is a hyperlink for Audit Comment Archive..](_images/jbt1567601282654.png) 2. On the **General** tab, enter a name for the rule in the **Name** field. 3. On the **Source** tab, from the **Source Zone** list, select an option. ![A screen capture of the Source tab. There are two source lists shown: Source Zone and Source Address. Each list has a check box option for Any. It is selected for the Source Address list. The Source Zone list shows the option corp-vpn. Each list also has an Add plus sign button. The bottom of the tab has a check box for Negate. The bottom of the window has the OK and Cancel buttons.](_images/bet1567601752659.png) 4. On the **Destination** tab, from the **Destination Zone** list, select an option. ![A screen capture of the Destination tab.There are two destination lists shown: Destination Zone and Destination Address. Each list has a check box option for Any. It is selected for the Destination Address list. The Destination Zone list shows the option trusted. Each list also has an Add plus sign button. The bottom of the tab has a check box for Negate. The bottom of the window has the OK and Cancel buttons.](_images/vdq1567601902475.png) 5. On the **Service** tab, select the services or URL categories to protect. ![A screen capture of the Service/URL Category tab.There are two lists shown: Service and URL Category. The Service list has a drop-down selection list above it and the URL Category list has a check box option for Any, which is selected in this screen capture. The Service list shows the options service-http and service-https. Each list also has an Add plus sign button. The bottom of the window has the OK and Cancel buttons.](_images/prr1567602012082.png) 6. On the **Actions** tab, from the **Authentication Enforcement** list, select the authentication enforcement that you created in the previous section. Click **OK**. ![A screen capture of the Actions tab with the Authentication Enforcement field showing the selected authentication enforcement previously created.](_images/syx1567602113037.png) ### Next steps For further information, see [Authentication Policies](https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/authentication-policy.html). ## Enabling the authentication portal ### Steps 1. In the Palo Alto NGFW admin portal, go to **Device → User Identification → Captive Portal Settings**. 2. On the **Capture Portal Settings** tab, click the **Gear** icon. ![A screen capture of the Captive Portal Settings tab, highlighting the gear icon directly beneath the position of the Captive Portal Settings tab.](_images/vns1602616382786.png) #### Result: The **Captive Portal** window is displayed. 3. In the **Captive Portal** window, complete the following fields, and then click **OK**. 1. Select the **Enable Captive Portal** check box. 2. In the **Mode** section, click **Redirect**. 3. In the **Redirect Host** field, enter the redirect host name. | | | | - | ----------------------------------------------------------------------------- | | | The redirect host name can be a URL or interface IP address on your firewall. | 4. From the **SSL/TLS Service Profile** list, select your SSL certificate. 5. From the **Authentication Profile** list, select your authentication profile. ![A screen capture of the Captive Portal window with completed fields.](_images/ige1567603473902.png) ## Checking that response pages are enabled ### Before you begin In the Palo Alto NGFW admin portal, go to **Network → Interfaces** and check that the interface you used for the Redirect Host has a management profile. ![A screen capture of the Interface list. The Interface list also includes categories for Interface Type, Management Profile, Link State, IP Address, Virtual Router, Tag, VLAN/Virtual-Wire, Security Zone, and Features.](_images/axy1567604002420.png) If no management profile exists, you must add a management profile for the interface. The following steps show how to edit an existing profile. ### Steps 1. In the Palo Alto NGFW admin portal, go to **Network → Network Profiles → Interface Mgmt**. 2. Click the **Interface Management Profile** for the required interface. 3. Ensure that the **Response Pages** check box is selected, and then click **OK**. ![A screen capture of the Interface Management Profile window, showing the Response Pages check box, highlighted with a red circle and selected.](_images/log1567604587126.png) 4. Commit all changes. ## Next steps: Creating security policy To test the authentication portal, set up a security policy. For more information, see [Building Blocks in a Security Policy Rule](https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/policies/policies-security/building-blocks-in-a-security-policy-rule.html).