Page created: 3 Jun 2020
|
Page updated: 15 Mar 2022
In the following tasks, you will configure Palo Alto Global Protect to work with PingID multi-factor authentication (MFA).
Prerequisites
To set up PingFederate or PingFederate Bridge as a RADIUS server, see Prerequisites: PingFederate RADIUS server.
Note: If your end users encounter the Javascript error "Assignment
to read-only properties is not allowed in strict mode" when authenticating via
PingID, they should upgrade
to version 5.2.11 of the GlobalProtect
app.
How it works
The following diagram illustrates a general flow. The actual configuration varies depending on your organizational infrastructure considerations and policies.
Processing Steps
- When a user opens their Palo Alto Global Protect sign-on window and enters a username and password, their details are sent to the RADIUS server on PingFederate through the VPN RADIUS client.
- PingFederate authenticates the user’s credentials with the user repository, such as an LDAP server, as first-factor authentication.
- Upon authentication approval from the user repository, the RADIUS server initiates a second authentication with PingID.
- The RADIUS server returns a response to Palo Alto Global Protect. If authentication is denied or if an error occurs, the user's terminal displays an error message.