Configuring a SAML Integration with PingFederate in NGFW

Configuring a SAML Integration with PingFederate in NGFW - PingFederate

Use Cases

bundle

solution-guides

ft:publication_title

Use Cases

Product_Version_ce

category

ContentType

howtodoc

ContentType_ce

How-to

Configure the SAML IdP server profile in NGFW.
1. Sign on to Palo Alto Networks NGFW as an administrator, and then go to the Device tab.
2. To import the metadata from PingFederate, go to Server Profiles > SAML Identity Provider, and then click Import.
3. Enter a name in the Profile Name field, and then click Browse and select the metadata.xml file from step 7 of Exporting the SAML Metadata from PingFederate.
4. Optional: If you are using a self-signed certificate in PingFederate, clear the Validate Identity Provider Certificate check box.
5. Click OK.
6. Click on your newly-created profile to open it.
7. Select the Post check box for both SAML HTTP Binding for SSO Requests to IDP and SAML HTTP Binding for SLO Requests to IDP.
8. Optional: Adjust the clock skew in the Maximum Clock Skew (seconds) field.
9. Click OK.
Create the authentication profile in NGFW.
1. In Palo Alto Networks NGFW, go to the Device tab, and then click Authentication Profile.
2. Click Add, and enter a profile name in the Name field.
3. From the Type list, select SAML.
4. From the IdP Server Profile list, select the SAML profile from step 1.
5. From the Certificate for Signing Requests list, select the certificate of your GlobalProtect portal that you have created prior to this configuration. This will be used to sign the SAML message to the IdP.
6. From the Certificate Profile list, select the certificate profile that you have created prior to this configuration.
  
  Note:
  When using a CA-signed certificate in PingFederate, import the root CA in Device > Certificates, and include it in the certificate profile.
  
  Note:
  If you want to add multi-factor authentication (MFA), we recommend adding it from the PingFederate administrative console.
7. Go to the Advanced tab, and then click Add.
8. Select the groups that you want to be included in this Authentication Profile, and then click OK.
Add the authentication profile to the GlobalProtect Portal.
1. In Palo Alto Networks NGFW, go to Network > GlobalProtect > Portals, and then select the portal that you want to configure.
  
  Note:
  For information on creating a portal, see Set Up Access to the GlobalProtect Portal.
2. Under Server Authentication, select the ssl service profile to the portal.
3. Under Client Authentication, click Add.
4. In the Client Authentication window, enter a name in the Name field. From the Authentication Profile list, select the authentication profile from step 2.
5. Optional: From the Allow Authentication with User Credentials OR Client Certificate list, select Yes.
6. Click OK.
7. Go to the Agent tab and set the trusted root CA.
8. Under Agent, click Add.
9. On the Authentication tab, enter a name in the Name field. From the Save User Credentials list, select Save Username Only.
10. Go to the External tab. Under External Gateways, click Add.
11. Enter a name in the Name field, and then enter the FQDN or IP address for the agent.
12. Go to the App tab and review your configuration. Make any changes if required, and then click OK.
  
  Note:
  Make sure the Gateway is configured. For more information, see Configure a GlobalProtect Gateway.
Export the metadata file from NGFW.
1. Click the Metadata link of the authentication profile from step 2.
2. From the Service list, select global-protect.
3. From the Virtual System list, select the virtual system.
4. In the IP or Hostname field, select the URL of your GlobalProtect portal, and then click OK.