PingID Administration Guide

Configuring Palo Alto Authentication Portal for PingID

Palo Alto Networks Next-Generation Firewall (NGFW) Authentication Policy enables you to authenticate end users before they can access services and applications.

Overview

When a user requests a service or application, such as by visiting a web page, the firewall evaluates the authentication policy. Based on the matching authentication policy rule, the firewall then prompts the user to authenticate using one or more methods (factors). After the user authenticates for all factors, the firewall evaluates the Security Policy to determine whether to allow access to the service or application. To use multi-factor authentication (MFA) for protecting sensitive services and applications, you must configure an authentication policy to display a web form for the first authentication factor. For more information, see Multi-Factor Authentication.

To facilitate MFA notifications for client-server applications (such as Perforce) on Windows or macOS endpoints, a VPN tunnel established through the GlobalProtect Client is required. When a session matches an authentication policy rule, the firewall sends a UDP notification to the GlobalProtect Client with an embedded URL link to the authentication portal page. The GlobalProtect Client then displays this message as a popup notification to the user.

A flowchart showing a typical MFA authentication using Palo Alto NGFW.

Processing steps

Users generate traffic to a service or application, which triggers the authentication process as shown in the following figure. A user wishes to access a service or application protected by an authentication policy. The authentication portal located on NGFW requires a username and password.

  1. The user’s credentials are validated against LDAP or another authentication server type.

  2. After the user submits credentials, the authentication server sends additional user data with its successful authentication message back to the authentication portal.

  3. The authentication portal initiates MFA through PingID.

    A screen capture of the Palo Alto authentication portal.
    A screen capture of a GlobalProtect alert that notifies the user that additional information is required. The message says,

    You can achieve the same workflow for client-server applications also. For more information, see Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications.

    The following configuration steps only describe authentication for a browser-based application using the authentication portal.

  4. PingID pushes an authentication request to the user’s selected authentication method, such as mobile phone, email, or desktop application.

  5. The user completes the authentication request.

  6. PingID sends the authentication result to the authentication portal.

  7. The authentication portal allows access to requested service

In what follows, NGFW stands for New Generation Firewall

The following topics show how to secure an authentication portal sign-on with PingID. The example will add an LDAP and MFA authentication profile.

Preparing for configuration

Steps

  1. In PingOne, download the PingID properties file.

    For more information, see PingFederate.

  2. In the Palo Alto NGFW admin portal, create a certificate profile for PingID.

    1. Go to Device → Certificate Management → Certificate Profile → Add.

    2. Create the certificate profile for PingID.

    For more information, see Configure a Certificate Profile in the Palo Alto documentation.

Adding PingID for MFA

Steps

  1. In the NGFW admin portal, click the Device tab, and then go to Server Profiles → Multi Factor Authentication.

  2. Click +Add.

    Result:

    The Multi Factor Authentication Server Profile window appears.

    A screen capture of the Multi Factor Authentication Server Profile window. In this screen capture, the Profile Name field says,
  3. In the Profile Name field, enter a name for the profile. We will use PingID.

  4. From the Certificate Profile list, select the certificate profile that you previously created.

    If you have not yet created a certificate profile for PingID, see Configure a Certificate Profile in the Palo Alto documentation.

  5. From the MFA Vendor list, select PingID.

    Result:

    Several fields populate automatically.

    A screen capture of the Multi Factor Authentication Server Profile window, showing populated fields in the Server Settings section with MFA Vendor PingID selected. The populated fields are Base URI, Host name, and Timeout (sec).
  6. From the PingID properties file, complete the three fields listed in the following table.

    The relationships between the PingID properties fields and the fields listed in the Multi Factor Authentication Server Profile window are described in the following table.

    Display Name Certificate Field Illustrative value

    Use Base64 Key

    use_base64_key

    APixxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7ct4z7LOM=

    Token

    token

    c85cxxxxxxxxxxxxxxxxxxxxxxxxx4c1

    PingID Client Organization ID

    Org_alias

    faxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx779

  7. Ensure that the Use Base64 Key, Token, and PingID Client Organization ID fields are populated, and then click OK.

    A screen capture of the Multi Factor Authentication Server Profile window with all fields populated.

Configuring an authentication profile for MFA

Steps

  1. In the Palo Alto NGFW admin portal, go to Device → Authentication Profile, and then click Add.

  2. In the Name field, enter a name for the profile.

  3. From the Type list, select LDAP.

    An screen capture of the Authentication Profile window, on the Authentication tab. In this screen capture, the Name field is populated with the name LDAP with PingID. The Type list shows LDAP as selected
  4. Go to the Factors tab and check Enable Additional Authentication Factors.

    An image capture of the Authentication Profile window, on the Factors tab. The Enable Additional Authentication Factors check box is selected. There is a list of available factors after the check box to use only for Authentication Policy. At the bottom of the list is the Add plus sign button.
  5. Click Add, and then select PingID.

  6. Go to the Advanced tab, and in the Allow List section, click Add and select the relevant groups or users.

    In this example, we chose all.

    An image capture of the Authentication Profile window, on the Advanced tab. The Allow List is shown with the option for all.
  7. Optional: Change the Failed Attempts and Lockout Time fields.

  8. Click OK.

Configuring authentication enforcement

Create authentication enforcement to protect service and apps with the authentication portal.

Steps

  1. In the Palo Alto NGFW admin portal, go to Objects → Authentication, and then click Add.

  2. In the Name field, enter a name for the authentication profile.

  3. From the Authentication Method list, select web-form.

    This example configures authentication to a browser-based application using the authentication portal (web-form).

  4. From the Authentication Profile list, select the appropriate certificate profile.

    For more information, see Preparing for configuration.

  5. Optional: In the Message field, enter an instructional message for the user.

    A screen capture of the Authentication Enforcement window. This screen capture shows the name PingID Enforcement, Authentication Method web-form, Authentication Profile LDAP_and_MFA, and the Message field set with reminder text: This is a customizable authentication message shown to the user to allow customers to provide authentication instructions based on the authentication rule in effect.
  6. Click OK.

Next steps

For more information, see Authentication Enforcement in the Palo Alto documentation.

Configuring authentication policy

Create an authentication policy rule to protect chosen services or apps with the authentication portal.

Steps

  1. In the Palo Alto NGFW admin portal, go to Policies → Authentication, and then click Add.

    Result:

    The Authentication Policy Rule window is displayed.

    A screen capture of the Authentication Policy Rule window on the General tab showing the fields for Name, Description, Tags, Group Rules by Tag, and Audit Comment. There is a hyperlink for Audit Comment Archive..
  2. On the General tab, enter a name for the rule in the Name field.

  3. On the Source tab, from the Source Zone list, select an option.

    A screen capture of the Source tab. There are two source lists shown: Source Zone and Source Address. Each list has a check box option for Any. It is selected for the Source Address list. The Source Zone list shows the option corp-vpn. Each list also has an Add plus sign button. The bottom of the tab has a check box for Negate. The bottom of the window has the OK and Cancel buttons.
  4. On the Destination tab, from the Destination Zone list, select an option.

    A screen capture of the Destination tab.There are two destination lists shown: Destination Zone and Destination Address. Each list has a check box option for Any. It is selected for the Destination Address list. The Destination Zone list shows the option trusted. Each list also has an Add plus sign button. The bottom of the tab has a check box for Negate. The bottom of the window has the OK and Cancel buttons.
  5. On the Service tab, select the services or URL categories to protect.

    A screen capture of the Service/URL Category tab.There are two lists shown: Service and URL Category. The Service list has a drop-down selection list above it and the URL Category list has a check box option for Any, which is selected in this screen capture. The Service list shows the options service-http and service-https. Each list also has an Add plus sign button. The bottom of the window has the OK and Cancel buttons.
  6. On the Actions tab, from the Authentication Enforcement list, select the authentication enforcement that you created in the previous section. Click OK.

A screen capture of the Actions tab with the Authentication Enforcement field showing the selected authentication enforcement previously created.

Next steps

For further information, see Authentication Policies.

Enabling the authentication portal

Steps

  1. In the Palo Alto NGFW admin portal, go to Device → User Identification → Captive Portal Settings.

  2. On the Capture Portal Settings tab, click the Gear icon.

    A screen capture of the Captive Portal Settings tab, highlighting the gear icon directly beneath the position of the Captive Portal Settings tab.

    Result:

    The Captive Portal window is displayed.

  3. In the Captive Portal window, complete the following fields, and then click OK.

    1. Select the Enable Captive Portal check box.

    2. In the Mode section, click Redirect.

    3. In the Redirect Host field, enter the redirect host name.

      The redirect host name can be a URL or interface IP address on your firewall.

    4. From the SSL/TLS Service Profile list, select your SSL certificate.

    5. From the Authentication Profile list, select your authentication profile.

      A screen capture of the Captive Portal window with completed fields.

Checking that response pages are enabled

Before you begin

In the Palo Alto NGFW admin portal, go to Network → Interfaces and check that the interface you used for the Redirect Host has a management profile.

A screen capture of the Interface list. The Interface list also includes categories for Interface Type, Management Profile, Link State, IP Address, Virtual Router, Tag, VLAN/Virtual-Wire, Security Zone, and Features.

If no management profile exists, you must add a management profile for the interface. The following steps show how to edit an existing profile.

Steps

  1. In the Palo Alto NGFW admin portal, go to Network → Network Profiles → Interface Mgmt.

  2. Click the Interface Management Profile for the required interface.

  3. Ensure that the Response Pages check box is selected, and then click OK.

    A screen capture of the Interface Management Profile window, showing the Response Pages check box, highlighted with a red circle and selected.
  4. Commit all changes.

Next steps: Creating security policy

To test the authentication portal, set up a security policy. For more information, see Building Blocks in a Security Policy Rule.