--- title: Configuring SSO for GlobalProtect VPN with PingOne for Enterprise description: Next-Generation Firewall (NGFW) supports the ability to enable Single Sign-On (SSO) through the PingOne for Enterprise admin UI. component: solution-guides page_id: solution-guides:single_sign-on_use_cases:htg_config_sso_globalprotect_vpn_p14e canonical_url: https://docs.pingidentity.com/solution-guides/single_sign-on_use_cases/htg_config_sso_globalprotect_vpn_p14e.html revdate: February 16, 2022 section_ids: before-you-begin: Before you begin about-this-task: About this task steps: Steps example: Example: --- # Configuring SSO for GlobalProtect VPN with PingOne for Enterprise Next-Generation Firewall (NGFW) supports the ability to enable Single Sign-On (SSO) through the PingOne for Enterprise admin UI. ## Before you begin * To ensure the integrity of messages processed in a SAML transaction, use digital certificates to cryptographically sign all messages. For guidelines on certificate usage, see [Configure SAML Authentication](https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure-saml-authentication.html) in the Palo Alto Networks documentation. * You have an identity provider (IdP) certificate signed by a certificate authority (CA) and trusted by the NGFW device (recommended). ## About this task You can combine GlobalProtect VPN with PingOne for Enterprise for SSO as shown in the following diagram.![A flow chart showing the relationship between the user, GlobalProtect, and PingOne.](_images/kod1574273989501.png) ## Steps 1. Create a standard security certificate for GlobalProtect to use. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | GlobalProtect requires a certificate from a Certificate Authority (CA) and cannot use a self-signed certificate. Ensure that you have a standard certificate. | 2. Download the GlobalProtect certificate. 1. Log in to the NGFW admin portal. 2. Go to **Device → Certificate Management → Certificates**, and select the certificate that you created in step 1. 3. Click **Export Certificate**. From the **File Format** list, select `Base64 Encoded Certificate (PEM)`. 4. Clear the **Export private key** checkbox, and then click **OK**. | | | | - | -------------------------------------------------------------------------------------------------------------------- | | | You will use the CN of the certificate for the assertion consumer service (ACS) endpoint and EntityID URL in step 3. | 3. In PingOne, set up the GlobalProtect application. 1. Log in to PingOne. 2. Go to **Applications → Application Catalog**, and search for GlobalProtect. 3. Expand the Palo Alto Networks GlobalProtect entry with the black arrow. Click **Setup** and then click **Continue to Next Step**. 4. In the **ACS URL** and **Entity ID** fields, replace *$\\{GlobalProtect Portal}* with the GlobalProtect FQDN or IP as shown. ### Example: ACS URL: `https://:443/SAML20/SP/ACS` Entity ID: `https://:443/SAML20/SP` 5. Click **Browse** next to Primary Verification Certificate, and then select the GlobalProtect certificate that you downloaded from NGFW. Ensure that you: * Clear the **Encrypt Assertion** checkbox, and select the **Sign Assertion** checkbox. * Keep the signing algorithm as `RSA_SHA256`. | | | | - | --------------------------------------- | | | Select **Force MFA** to use PingID MFA. | 1. Click **Continue to Next Step**. 2. In the **Attribute Mapping** window, set the value of the `username *` application attribute to `SAML_SUBJECT`, unless a different value is required. Click **Continue to Next Step**. 3. **Optional:** On the **PingOne App Customization** page, change the application's icon, name, description, and category. Click **Continue to Next Step**. 4. In the **Group Access** window, add the required user groups for VPN authentication, and then click **Continue to Next Step**. | | | | - | ----------------------------------------------------- | | | Exclude any group that should not have access to VPN. | 5. If you choose to verify the user in NGFW under User Identification against your directory, ensure that PingOne for Enterprise is connected to the same directory. 6. Click **Download** next to SAML Metadata, and then click **Finish**. 4. Import the PingOne for Enterprise SAML metadata into GlobalProtect. 1. Log in as administrator to the NGFW admin portal. 2. Go to **Device → Server Profile → SAML Identity Provider**, and then click **Import**. 3. In the **Profile Name** field, enter a name for the profile. 4. In the **Identity Provider Metadata** field, click **Browse** and import the metadata file that you downloaded from PingOne. 5. **Optional:** If you are using a self-signed certificate, clear the **Validate Identity Provider Certificate** checkbox. 6. **Optional:** Set the **Maximum Clock Skew**. 7. Review your configuration and then click **OK**. 5. Create an authentication profile in GlobalProtect. 1. On the **Device** page, go to **Authentication Profile**, and click **Add**. 2. In the **Name** field, enter a name for the authentication profile. 3. From the **Type** list, select `SAML`. 4. In the**IDP Server Profile**, choose the SAML profile that you created in step 4. 5. In the **Certificate for Signing Request** field, choose the certificate that you created for GlobalProtect. This is the same certificate that you imported into PingOne for Enterprise. 6. In the **Certificate Profile** field, choose the certificate profile that you created for GlobalProtect. For more information, see [Configure a Certificate Profile](https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/certificate-management/configure-a-certificate-profile.html) in the Palo Alto Networks documentation. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When using a CA-signed certificate in PingOne for Enterprise, import the root CA in **Device → Certificates** and include it in the certificate profile. | 7. Leave the **Username Attribute** field as `username`. 8. Leave the **Factors** tab empty. | | | | - | ------------------------------------------------------------------- | | | If you need to use MFA, you can force PingID MFA from PingFederate. | Your configuration should be similar to the following example. ![A screen capture of the Authentication Profile window in the NGFW admin portal.](_images/fql1571868589204.png) 9. Go to the **Advanced** tab and choose the group to which this authentication profile applies. 10. Confirm your configuration and then click **OK**. 6. Add the authentication profile to the GlobalProtect portal. For information on configuring a GP portal, see [Set up access to the GlobalProtect Portal](https://docs.paloaltonetworks.com/globalprotect/9-0/globalprotect-admin/globalprotect-portals/set-up-access-to-the-globalprotect-portal) in the Palo Alto Networks documentation. 1. Go to **Network → GlobalProtect → Portals**, and choose the portal that you want to modify. 2. Select **Authentication**, and choose the SSL service profile. 3. On the **Client Authentication** tab, click **Add**. 4. Enter a name for the client authentication profile, and select the authentication profile that you created in step 5. 5. Confirm your configuration and then click **OK**. Your configuration should look similar to the following example. ![A screen capture of the Client Authentication window in the NGFW admin portal.](_images/xxt1571868962758.png) 7. Go to the **Agent** tab, and set the trusted root CA. 1. On the **Agent** tab, click **Add**. 2. On the **Authentication** tab, enter a name for the agent in the **Name** field. 3. From the **Save User Credentials** menu, select **Save username only**. Your configuration should look similar to the following example. ![A screen capture of the Authentication tab in NGFW.](_images/tel1571927574689.png) 8. Add an external gateway to your GlobalProtect configuration. 1. Go to the **External** tab, and under External Gateways click **Add**. 2. Give the gateway a name, and set the FQDN or IP for the agent. Your configuration should look similar to the following example. ![A screen capture of the External Gateway window in NGFW.](_images/zpm1571928373673.png) | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Make sure that the Gateway is configured. For instructions on configuring a gateway, see [Configure a GlobalProtect Gateway](https://docs.paloaltonetworks.com/globalprotect/9-0/globalprotect-admin/globalprotect-gateways/configure-a-globalprotect-gateway.html) in the Palo Alto Networks documentation. | 9. Go to the **App** tab. Review the configuration and make any required changes, then click **OK**. 10. Click **Commit**.