--- title: Creating an authentication profile description: To configure Palo Alto Global Protect to work with PingID multi-factor authentication (MFA), you must create an authentication profile. component: pingid page_id: pingid:pingid_integrations:pid_creating_an_authentication_profile canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_creating_an_authentication_profile.html revdate: January 27, 2024 section_ids: steps: Steps result: Result: result-2: Result: --- # Creating an authentication profile To configure Palo Alto Global Protect to work with PingID multi-factor authentication (MFA), you must create an authentication profile. ## Steps 1. Go to **Device → Authentication Profile**, and then click **Add**. ### Result: The **Authentication** tab of the **Authentication Profile** window is displayed. ![A screen capture of the Authentication tab in the Authentication Profile window. At the top of the window is the Name field for the entire profile. The Authentication tab includes the fields for Type; Server Profile, which has a check box under it for the option to Retrieve user group from RADIUS; User Domain; and Username Modifier.. In the Single Sign On section that follows the Username Modifier field are fields for Kerberos Realm and Kerberos Keytab. To the right of the Kerberos Keytab field is a hyperlink option to Import. The bottom of the window shows the OK and Cancel buttons.](_images/jtb1575288979951.png) 2. In the **Name** field, enter a name for the profile. 3. From the **Type** list, select **RADIUS**. 4. From the **Server Profile** list, select the RADIUS profile that you previously created. 5. In the **User Domain** field, enter your own domain name. 6. From the **Username Modifier** list, leave the default selection of **%USERINPUT%**. 7. Click **Advanced**. ### Result: The **Advanced** tab of the **Authentication Profile** window is displayed. ![A screen capture of the Advanced tab in the Authentication Profile window. The Advanced tab shows the Allow List section with a list of option to which the profile will apply. The bottom of the list as an Add plus sign button and a grayed out Delete minus sign button. The Account Lockout section follows the Allow List and shows the fields for Failed Attempts and Lockout Time (min). The bottom of the window shows the OK and Cancel buttons.](_images/rlb1575290084016.png) 8. In the **Allow List** section, select the group to which this authentication profile will apply. Click **OK**.