Configure the SAML IdP server profile in NGFW.
- Sign on to Palo Alto Networks NGFW as an administrator, and then go to the Device tab.
- To import the metadata from PingFederate, go to , and then click Import.
Enter a name in the Profile Name field, and then
click Browse and select the
metadata.xml file from step 7 of Exporting the SAML Metadata from PingFederate.
If you are using a self-signed certificate in PingFederate, clear the Validate
Identity Provider Certificate check box.
- Click OK.
- Click on your newly-created profile to open it.
Select the Post check box for both
SAML HTTP Binding for SSO Requests to IDP and
SAML HTTP Binding for SLO Requests to
- Optional: Adjust the clock skew in the Maximum Clock Skew (seconds) field.
- Click OK.
Create the authentication profile in NGFW.
- In Palo Alto Networks NGFW, go to the Device tab, and then click Authentication Profile.
- Click Add, and enter a profile name in the Name field.
- From the Type list, select SAML.
- From the IdP Server Profile list, select the SAML profile from step 1.
- From the Certificate for Signing Requests list, select the certificate of your GlobalProtect portal that you have created prior to this configuration. This will be used to sign the SAML message to the IdP.
From the Certificate Profile list, select the
certificate profile that you have created prior to this
When using a CA-signed certificate in PingFederate, import the root CA in , and include it in the certificate profile.
If you want to add multi-factor authentication (MFA), we recommend adding it from the PingFederate administrative console.
- Go to the Advanced tab, and then click Add.
Select the groups that you want to be included in this Authentication
Profile, and then click OK.
Add the authentication profile to the GlobalProtect Portal.
In Palo Alto Networks NGFW, go to
, and then select the portal that you want to
For information on creating a portal, see Set Up Access to the GlobalProtect Portal.
- Under Server Authentication, select the ssl service profile to the portal.
- Under Client Authentication, click Add.
In the Client Authentication window, enter a name
in the Name field. From the
Authentication Profile list, select the
authentication profile from step 2.
- Optional: From the Allow Authentication with User Credentials OR Client Certificate list, select Yes.
- Click OK.
- Go to the Agent tab and set the trusted root CA.
- Under Agent, click Add.
On the Authentication tab, enter a name in the
Name field. From the Save User
Credentials list, select Save Username
- Go to the External tab. Under External Gateways, click Add.
Enter a name in the Name field, and then enter
the FQDN or IP address for the agent.
Go to the App tab and review your configuration.
Make any changes if required, and then click
Make sure the Gateway is configured. For more information, see Configure a GlobalProtect Gateway.
- In Palo Alto Networks NGFW, go to , and then select the portal that you want to configure.
Export the metadata file from NGFW.
Click the Metadata link of the authentication
profile from step 2.
- From the Service list, select global-protect.
- From the Virtual System list, select the virtual system.
In the IP or Hostname field, select the
of your GlobalProtect portal, and then click
- Click the Metadata link of the authentication profile from step 2.