Configuring Palo Alto Global Protect for PingID multi-factor authentication

Configuring Palo Alto Global Protect for PingID multi-factor authentication - PingID

PingID Administration Guide

bundle

pingid

ft:publication_title

PingID Administration Guide

Product_Version_ce

PingID

Prerequisites

To set up PingFederate or PingFederate Bridge as a RADIUS server, see Prerequisites: PingFederate RADIUS server.

Note: If your end users encounter the Javascript error "Assignment to read-only properties is not allowed in strict mode" when authenticating via PingID, they should upgrade to version 5.2.11 of the GlobalProtect app.

How it works

The following diagram illustrates a general flow. The actual configuration varies depending on your organizational infrastructure considerations and policies.

A flowchart showing the relationship between Palo Alto Global Protect, the RADIUS server, and PingID.

Processing Steps

When a user opens their Palo Alto Global Protect sign-on window and enters a username and password, their details are sent to the RADIUS server on PingFederate through the VPN RADIUS client.
PingFederate authenticates the user’s credentials with the user repository, such as an LDAP server, as first-factor authentication.
Upon authentication approval from the user repository, the RADIUS server initiates a second authentication with PingID.
The RADIUS server returns a response to Palo Alto Global Protect. If authentication is denied or if an error occurs, the user's terminal displays an error message.