1. Sign on to the PingFederate administrative console and go to System > Protocol Metadata > Metadata Export.
  2. On the Metadata Role tab, select I am the Identity Provider (IdP), and then click Next.

    A screen capture of the Metadata Role tab in the PingFederate administrative console.
  3. On the Metadata Mode tab, select Select Information to Include in Metadata Manually, and then click Next.

    A screen capture of the Metadata Mode tab in the PingFederate administrative console.
  4. On the Protocol tab, click Next until you reach the Signing Key tab, accepting the default values.
  5. On the Signing Key tab, select an available signing key from the Digital Signature Keys/Certs list, and then click Next. If none are available, click Manage Certificates to create a signing key, and then follow the on-screen instructions.
    Important:

    Although you can use a self-signed certificate, a CA-signed certificate is recommended.


    A screen capture of Signing Key tab in the PingFederate administrative console.
  6. Click Next until you reach the Export & Summary tab, accepting the default values on the Metadata Signing and XML Encryption Certificate tabs.
  7. On the Export & Summary tab, click Export and save the metadata.xml file. You will upload this file to Palo Alto Networks NGFW in the next step.

    A screen capture of the Export & Summary tab in the PingFederate administrative console.