Use Cases

Configuring SSO for GlobalProtect VPN with PingFederate

Next-Generation Firewall (NGFW) supports the ability to enable single sign-on (SSO) through the admin UI.

Before you begin

  • PingFederate is installed and configured.

  • NGFW is installed and configured.

  • You have a GlobalProtect portal certificate.

  • You have a Certificate Profile.

  • You have an identity provider (IdP) certificate signed by a certificate authority (CA), and trusted by the NGFW device (recommended).

About this task

You can combine GlobalProtect VPN with PingFederate for SSO as illustrated in the following diagram.

A flowchart showing the relationship between GlobalProtect, , and .
Flow diagram that links to three tasks: Export the SAML Metadata from PingFederate, Configure a SAML integration with PingFederate in NGFW, and Import the NGFW metadata into PingFederate

Exporting the SAML Metadata from PingFederate

Steps

  1. Sign on to the PingFederate administrative console and go to System → Protocol Metadata → Metadata Export.

  2. On the Metadata Role tab, select I am the Identity Provider (IdP), and then click Next.

    A screen capture of the Metadata Role tab in the administrative console.
  3. On the Metadata Mode tab, select Select Information to Include in Metadata Manually, and then click Next.

    A screen capture of the Metadata Mode tab in the administrative console.
  4. On the Protocol tab, click Next until you reach the Signing Key tab, accepting the default values.

  5. On the Signing Key tab, select an available signing key from the Digital Signature Keys/Certs list, and then click Next. If none are available, click Manage Certificates to create a signing key, and then follow the on-screen instructions.

    Although you can use a self-signed certificate, a CA-signed certificate is recommended.

    A screen capture of Signing Key tab in the administrative console.
  6. Click Next until you reach the Export & Summary tab, accepting the default values on the Metadata Signing and XML Encryption Certificate tabs.

  7. On the Export & Summary tab, click Export and save the metadata.xml file. You will upload this file to Palo Alto Networks NGFW in the next step.

    A screen capture of the Export & Summary tab in the administrative console.

Configuring a SAML Integration with PingFederate in NGFW

Steps

  1. Configure the SAML IdP server profile in NGFW.

    1. Sign on to Palo Alto Networks NGFW as an administrator, and then go to the Device tab.

    2. To import the metadata from PingFederate, go to Server Profiles → SAML Identity Provider, and then click Import.

    3. Enter a name in the Profile Name field, and then click Browse and select the metadata.xml file from step 7 of Exporting the SAML Metadata from PingFederate.

      A screen capture of the SAML Identity Provider Server Profile Import window in Palo Alto NGFW.
    4. Optional: If you are using a self-signed certificate in PingFederate, clear the Validate Identity Provider Certificate check box.

      A screen capture of the SAML Identity Provider Server Profile Import window in Palo Alto NGFW.
    5. Click OK.

    6. Click on your newly-created profile to open it.

    7. Select the Post check box for both SAML HTTP Binding for SSO Requests to IDP and SAML HTTP Binding for SLO Requests to IDP.

      A screen capture of the SAML Identity Provider Server Profile window in Palo Alto NGFW.
    8. Optional: Adjust the clock skew in the Maximum Clock Skew (seconds) field.

    9. Click OK.

  2. Create the authentication profile in NGFW.

    1. In Palo Alto Networks NGFW, go to the Device tab, and then click Authentication Profile.

    2. Click Add, and enter a profile name in the Name field.

    3. From the Type list, select SAML.

    4. From the IdP Server Profile list, select the SAML profile from step #/server_profile.

    5. From the Certificate for Signing Requests list, select the certificate of your GlobalProtect portal that you have created prior to this configuration. This will be used to sign the SAML message to the IdP.

    6. From the Certificate Profile list, select the certificate profile that you have created prior to this configuration.

      When using a CA-signed certificate in PingFederate, import the root CA in Device → Certificates, and include it in the certificate profile.

      A screen capture of the Authentication Profile window in Palo Alto NGFW.

      If you want to add multi-factor authentication (MFA), we recommend adding it from the PingFederate administrative console.

    7. Go to the Advanced tab, and then click Add.

    8. Select the groups that you want to be included in this Authentication Profile, and then click OK.

      A screen capture of the Authentication window in Palo Alto NGFW.
  3. Add the authentication profile to the GlobalProtect Portal.

    1. In Palo Alto Networks NGFW, go to Network → GlobalProtect → Portals, and then select the portal that you want to configure.

      For information on creating a portal, see Set Up Access to the GlobalProtect Portal.

    2. Under Server Authentication, select the ssl service profile to the portal.

    3. Under Client Authentication, click Add.

    4. In the Client Authentication window, enter a name in the Name field. From the Authentication Profile list, select the authentication profile from step #/auth-profile.

      A screen capture of the Client Authentication window in Palo Alto NGFW.
    5. Optional: From the Allow Authentication with User Credentials OR Client Certificate list, select Yes.

    6. Click OK.

    7. Go to the Agent tab and set the trusted root CA.

    8. Under Agent, click Add.

    9. On the Authentication tab, enter a name in the Name field. From the Save User Credentials list, select Save Username Only.

      A screen capture of the Configs window in Palo Alto NGFW.
    10. Go to the External tab. Under External Gateways, click Add.

    11. Enter a name in the Name field, and then enter the FQDN or IP address for the agent.

      A screen capture of the External Gateway window in Palo Alto NGFW.
    12. Go to the App tab and review your configuration. Make any changes if required, and then click OK.

      Make sure the Gateway is configured. For more information, see Configure a GlobalProtect Gateway.

  4. Export the metadata file from NGFW.

    1. Click the Metadata link of the authentication profile from step #/auth-profile.

      A screen capture showing the Metadata link alongside the authentication profile.
    2. From the Service list, select global-protect.

    3. From the Virtual System list, select the virtual system.

    4. In the IP or Hostname field, select the URL of your GlobalProtect portal, and then click OK.

      A screen capture of the SAML Metadata Export window in Palo Alto NGFW.

Importing the NGFW Metadata into PingFederate

To complete the integration, import the metadata file from NGFW and finish the service provider (SP) configuration in PingFederate.

Steps

  1. Create an SP in PingFederate, and import the NGFW metadata file.

    1. In the PingFederate administrative console, go to Applications → Integration → SP Connections, and then click Create Connection.

      A screen capture of the SP Connections window in the administrative console.
    2. On the Connection Template tab, select Do Not Use a Template for This Connection, and then click Next.

    3. On the Connection Type tab, select the Browser SSO Profiles check box, and select SAML 2.0 from the Protocol list. Click Next.

    4. On the Connection Options tab, accept the default election and click Next.

    5. On the Import Metadata tab, select the File check box and then click Choose File. Select the NGFW metadata file from step 4 of Configuring a SAML Integration with PingFederate in NGFW, and then click Next.

      A screen capture of the Import Metadata tab in the administrative console.
    6. On the Metadata Summary tab, ensure the imported EntityID field is correct, and then click Next.

    7. On the General Info tab, review the imported Base URL field, and then click Next.

      A screen capture of the General Info tab in the administrative console.
    8. On the Browser SSO tab, click Configure Browser SSO.

      A screen capture of the Browser SSO tab in the administrative console.
    9. On the SAML Profiles tab, select the SP-Initiated SSO check box, and then click Next.

      A screen capture of the SAML Profiles tab in the administrative console.
    10. On the Assertion Lifetime tab, accept the default values and click Next.

    11. On the Assertion Creation tab, click Configure Assertion Creation.

      A screen capture of the Assertion Creation tab in the administrative console.
    12. Click Next until you reach the Authentication Source Mapping tab, accepting the default values.

    13. On the Authentication Source Mapping tab, an Adapter Instance or Authentication Policy Contract must exist. Click Map New Adapter Instance.

      A screen capture of the Authentication Source Mapping tab in the administrative console.
    14. On the Adapter Instance tab, select HTML Form Adapter from the Adapter Instance list, and then click Next.

      A screen capture of the Adapter Instance tab in the administrative console.
    15. On the Mapping Method tab, accept the default values and click Next.

    16. On the Attribute Contract Fulfillment tab, select Adapter from the Source list and select username from the Value list. Click Next.

      A screen capture of the Attribute Contract Fulfillment tab in the administrative console.
    17. Click Next and Done until you return to the Protocol Settings tab, accepting the default values. Click Configure Protocol Settings.

    18. On the Assertion Consumer Service URL tab, ensure that the Endpoint URL is correct, and then click Next.

      A screen capture of the Assertion Consumer Service URL tab in the administrative console.
    19. On the Allowable SAML Bindings tab, select POST and then click Next.

      A screen capture of the Allowable SAML Bindings tab in the administrative console.
    20. Click Next and Done until you return to the Credentials tab. Click Configure Credentials.

      A screen capture of the Credentials tab in the administrative console.
    21. On the Digital Signature Settings tab, select a signing certificate from the Signing Certificate list. Click Done.

      A screen capture of the Digital Signature Settings tab in the administrative console.
    22. On the Credentials tab, click Next.

    23. On the Activation & Summary tab, ensure your connection is enabled with the green toggle switch, and then click Save.

      A screen capture of the Activation & Summary tab in the administrative console.

Troubleshooting

  • For basic troubleshooting, see Troubleshooting.

  • For documentation and Knowledge Base articles, see the Ping Identity Support portal.

  • More information and troubleshooting can be found in the Ping Identity product documentation.

  • For user sign-on issues, identify whether the problem is on PingFederate or GlobalProtect.

    • Sign-on issues with PingFederate might be related to incorrect credentials. For more information, see your PingFederate logs.

    • If authentication completes successfully on PingFederate server and the SAML assertion is sent back to GlobalProtect:

      1. Check the Palo Alto Networks support logs.

      2. Check if the certificate is valid and trusted by the NGFW instance.

      3. Check the clock on both NGFW and PingFederate server, and the clock skew on the SAML Identity Provider Server Profile.