1. Create an SP in PingFederate, and import the NGFW metadata file.
    1. In the PingFederate administrative console, go to Applications > Integration > SP Connections, and then click Create Connection.

      A screen capture of the SP Connections window in the PingFederate administrative console.
    2. On the Connection Template tab, select Do Not Use a Template for This Connection, and then click Next.
    3. On the Connection Type tab, select the Browser SSO Profiles check box, and select SAML 2.0 from the Protocol list. Click Next.
    4. On the Connection Options tab, accept the default election and click Next.
    5. On the Import Metadata tab, select the File check box and then click Choose File. Select the NGFW metadata file from step 4 of Configuring a SAML Integration with PingFederate in NGFW, and then click Next.

      A screen capture of the Import Metadata tab in the PingFederate administrative console.
    6. On the Metadata Summary tab, ensure the imported EntityID field is correct, and then click Next.
    7. On the General Info tab, review the imported Base URL field, and then click Next.

      A screen capture of the General Info tab in the PingFederate administrative console.
    8. On the Browser SSO tab, click Configure Browser SSO.

      A screen capture of the Browser SSO tab in the PingFederate administrative console.
    9. On the SAML Profiles tab, select the SP-Initiated SSO check box, and then click Next.

      A screen capture of the SAML Profiles tab in the PingFederate administrative console.
    10. On the Assertion Lifetime tab, accept the default values and click Next.
    11. On the Assertion Creation tab, click Configure Assertion Creation.

      A screen capture of the Assertion Creation tab in the PingFederate administrative console.
    12. Click Next until you reach the Authentication Source Mapping tab, accepting the default values.
    13. On the Authentication Source Mapping tab, an Adapter Instance or Authentication Policy Contract must exist. Click Map New Adapter Instance.

      A screen capture of the Authentication Source Mapping tab in the PingFederate administrative console.
    14. On the Adapter Instance tab, select HTML Form Adapter from the Adapter Instance list, and then click Next.

      A screen capture of the Adapter Instance tab in the PingFederate administrative console.
    15. On the Mapping Method tab, accept the default values and click Next.
    16. On the Attribute Contract Fulfillment tab, select Adapter from the Source list and select username from the Value list. Click Next.