In the following tasks, you will configure Palo Alto Global Protect to work with PingID multi-factor authentication (MFA).
To set up PingFederate or PingFederate Bridge as a RADIUS server, see Prerequisites: PingFederate RADIUS server.
How it works
The following diagram illustrates a general flow. The actual configuration varies depending on your organizational infrastructure considerations and policies.
- When a user opens their Palo Alto Global Protect sign-on window and enters a username and password, their details are sent to the RADIUS server on PingFederate through the VPN RADIUS client.
- PingFederate authenticates the user’s credentials with the user repository, such as an LDAP server, as first-factor authentication.
- Upon authentication approval from the user repository, the RADIUS server initiates a second authentication with PingID.
- The RADIUS server returns a response to Palo Alto Global Protect. If authentication is denied or if an error occurs, the user's terminal displays an error message.