Use Cases

Configuring SSO for GlobalProtect VPN with PingOne for Enterprise

Next-Generation Firewall (NGFW) supports the ability to enable Single Sign-On (SSO) through the PingOne for Enterprise admin UI.

Before you begin

  • To ensure the integrity of messages processed in a SAML transaction, use digital certificates to cryptographically sign all messages. For guidelines on certificate usage, see Configure SAML Authentication in the Palo Alto Networks documentation.

  • You have an identity provider (IdP) certificate signed by a certificate authority (CA) and trusted by the NGFW device (recommended).

About this task

You can combine GlobalProtect VPN with PingOne for Enterprise for SSO as shown in the following diagram.A flow chart showing the relationship between the user, GlobalProtect, and PingOne.

Steps

  1. Create a standard security certificate for GlobalProtect to use.

    GlobalProtect requires a certificate from a Certificate Authority (CA) and cannot use a self-signed certificate. Ensure that you have a standard certificate.

  2. Download the GlobalProtect certificate.

    1. Log in to the NGFW admin portal.

    2. Go to Device → Certificate Management → Certificates, and select the certificate that you created in step 1.

    3. Click Export Certificate. From the File Format list, select Base64 Encoded Certificate (PEM).

    4. Clear the Export private key check box, and then click OK.

      You will use the CN of the certificate for the assertion consumer service (ACS) endpoint and EntityID URL in step 3.

  3. In PingOne, set up the GlobalProtect application.

    1. Log in to PingOne.

    2. Go to Applications → Application Catalog, and search for GlobalProtect.

    3. Expand the Palo Alto Networks GlobalProtect entry with the black arrow. Click Setup and then click Continue to Next Step.

    4. In the ACS URL and Entity ID fields, replace $\{GlobalProtect Portal} with the GlobalProtect FQDN or IP as shown.

      Example:

      ACS URL: https://<FQDN or IP>:443/SAML20/SP/ACS

      Entity ID: https://<FQDN or IP>:443/SAML20/SP

    5. Click Browse next to Primary Verification Certificate, and then select the GlobalProtect certificate that you downloaded from NGFW.

    Ensure that you:

    • Clear the Encrypt Assertion check box, and select the Sign Assertion check box.

    • Keep the signing algorithm as RSA_SHA256.

      Select Force MFA to use PingID MFA.

      1. Click Continue to Next Step.

      2. In the Attribute Mapping window, set the value of the username * application attribute to SAML_SUBJECT, unless a different value is required. Click Continue to Next Step.

      3. Optional: On the PingOne App Customization page, change the application’s icon, name, description, and category. Click Continue to Next Step.

      4. In the Group Access window, add the required user groups for VPN authentication, and then click Continue to Next Step.

        Exclude any group that should not have access to VPN.

      5. If you choose to verify the user in NGFW under User Identification against your directory, ensure that PingOne for Enterprise is connected to the same directory.

      6. Click Download next to SAML Metadata, and then click Finish.

  4. Import the PingOne for Enterprise SAML metadata into GlobalProtect.

    1. Log in as administrator to the NGFW admin portal.

    2. Go to Device → Server Profile → SAML Identity Provider, and then click Import.

    3. In the Profile Name field, enter a name for the profile.

    4. In the Identity Provider Metadata field, click Browse and import the metadata file that you downloaded from PingOne.

    5. Optional: If you are using a self-signed certificate, clear the Validate Identity Provider Certificate check box.

    6. Optional: Set the Maximum Clock Skew.

    7. Review your configuration and then click OK.

  5. Create an authentication profile in GlobalProtect.

    1. On the Device page, go to Authentication Profile, and click Add.

    2. In the Name field, enter a name for the authentication profile.

    3. From the Type list, select SAML.

    4. In theIDP Server Profile, choose the SAML profile that you created in step 4.

    5. In the Certificate for Signing Request field, choose the certificate that you created for GlobalProtect. This is the same certificate that you imported into PingOne for Enterprise.

    6. In the Certificate Profile field, choose the certificate profile that you created for GlobalProtect. For more information, see Configure a Certificate Profile in the Palo Alto Networks documentation.

      When using a CA-signed certificate in PingOne for Enterprise, import the root CA in Device → Certificates and include it in the certificate profile.

    7. Leave the Username Attribute field as username.

    8. Leave the Factors tab empty.

      If you need to use MFA, you can force PingID MFA from PingFederate.

      Your configuration should be similar to the following example.

      A screen capture of the Authentication Profile window in the NGFW admin portal.
    9. Go to the Advanced tab and choose the group to which this authentication profile applies.

    10. Confirm your configuration and then click OK.

  6. Add the authentication profile to the GlobalProtect portal.

    For information on configuring a GP portal, see Set up access to the GlobalProtect Portal in the Palo Alto Networks documentation.

    1. Go to Network → GlobalProtect → Portals, and choose the portal that you want to modify.

    2. Select Authentication, and choose the SSL service profile.

    3. On the Client Authentication tab, click Add.

    4. Enter a name for the client authentication profile, and select the authentication profile that you created in step 5.

    5. Confirm your configuration and then click OK.

      Your configuration should look similar to the following example.

      A screen capture of the Client Authentication window in the NGFW admin portal.
  7. Go to the Agent tab, and set the trusted root CA.

    1. On the Agent tab, click Add.

    2. On the Authentication tab, enter a name for the agent in the Name field.

    3. From the Save User Credentials menu, select Save username only.

      Your configuration should look similar to the following example.

      A screen capture of the Authentication tab in NGFW.
  8. Add an external gateway to your GlobalProtect configuration.

    1. Go to the External tab, and under External Gateways click Add.

    2. Give the gateway a name, and set the FQDN or IP for the agent.

      Your configuration should look similar to the following example.

      A screen capture of the External Gateway window in NGFW.

      Make sure that the Gateway is configured. For instructions on configuring a gateway, see Configure a GlobalProtect Gateway in the Palo Alto Networks documentation.

  9. Go to the App tab. Review the configuration and make any required changes, then click OK.

  10. Click Commit.