---
title: Configuring SSO for GlobalProtect VPN with PingFederate
description: Next-Generation Firewall (NGFW) supports the ability to enable single sign-on (SSO) through the admin UI.
component: solution-guides
page_id: solution-guides:single_sign-on_use_cases:htg_config_sso_globalprotect_vpn_pf
canonical_url: https://docs.pingidentity.com/solution-guides/single_sign-on_use_cases/htg_config_sso_globalprotect_vpn_pf.html
revdate: November 10, 2022
section_ids:
  before-you-begin: Before you begin
  about-this-task: About this task
  exporting-the-saml-metadata-from-pingfederate: Exporting the SAML Metadata from PingFederate
  steps: Steps
  configuring-a-saml-integration-with-pingfederate-in-ngfw: Configuring a SAML Integration with PingFederate in NGFW
  steps-2: Steps
  importing-the-ngfw-metadata-into-pingfederate: Importing the NGFW Metadata into PingFederate
  steps-3: Steps
  troubleshooting: Troubleshooting
---

# Configuring SSO for GlobalProtect VPN with PingFederate

Next-Generation Firewall (NGFW) supports the ability to enable single sign-on (SSO) through the admin UI.

## Before you begin

* PingFederate is installed and configured.

* NGFW is installed and configured.

* You have a GlobalProtect portal certificate.

* You have a Certificate Profile.

* You have an identity provider (IdP) certificate signed by a certificate authority (CA), and trusted by the NGFW device (recommended).

## About this task

You can combine GlobalProtect VPN with PingFederate for SSO as illustrated in the following diagram.

![A flowchart showing the relationship between GlobalProtect, , and .](_images/gnx1571327130738.png)Flow diagram that links to three tasks: Export the SAML Metadata from PingFederate, Configure a SAML integration with PingFederate in NGFW, and Import the NGFW metadata into PingFederate

## Exporting the SAML Metadata from PingFederate

### Steps

1. Sign on to the PingFederate administrative console and go to **System → Protocol Metadata → Metadata Export**.

2. On the **Metadata Role** tab, select **I am the Identity Provider (IdP)**, and then click **Next**.

   ![A screen capture of the Metadata Role tab in the administrative console.](../_images/zbi1593474042547.png)

3. On the **Metadata Mode** tab, select **Select Information to Include in Metadata Manually**, and then click **Next**.

   ![A screen capture of the Metadata Mode tab in the administrative console.](../_images/pvo1593474233350.png)

4. On the **Protocol** tab, click **Next** until you reach the **Signing Key** tab, accepting the default values.

5. On the **Signing Key** tab, select an available signing key from the **Digital Signature Keys/Certs** list, and then click **Next**. If none are available, click **Manage Certificates** to create a signing key, and then follow the on-screen instructions.

   |   |                                                                                         |
   | - | --------------------------------------------------------------------------------------- |
   |   | Although you can use a self-signed certificate, a CA-signed certificate is recommended. |

   ![A screen capture of Signing Key tab in the administrative console.](../_images/sga1593474593063.png)

6. Click **Next** until you reach the **Export & Summary** tab, accepting the default values on the **Metadata Signing** and **XML Encryption Certificate** tabs.

7. On the **Export & Summary** tab, click **Export** and save the `metadata.xml` file. You will upload this file to Palo Alto Networks NGFW in the next step.

   ![A screen capture of the Export & Summary tab in the administrative console.](../_images/lfe1593474764679.png)

## Configuring a SAML Integration with PingFederate in NGFW

### Steps

1. Configure the SAML IdP server profile in NGFW.

   1. Sign on to Palo Alto Networks NGFW as an administrator, and then go to the **Device** tab.

   2. To import the metadata from PingFederate, go to **Server Profiles → SAML Identity Provider**, and then click **Import**.

   3. Enter a name in the **Profile Name** field, and then click **Browse** and select the `metadata.xml` file from step 7 of [Exporting the SAML Metadata from PingFederate](htg_config_sso_globalprotect_vpn_pf_export_saml_metadata.html).

      ![A screen capture of the SAML Identity Provider Server Profile Import window in Palo Alto NGFW.](_images/jhe1593476209245.png)

   4. **Optional:** If you are using a self-signed certificate in PingFederate, clear the **Validate Identity Provider Certificate** checkbox.

      ![A screen capture of the SAML Identity Provider Server Profile Import window in Palo Alto NGFW.](_images/uen1597963918494.png)

   5. Click **OK**.

   6. Click on your newly-created profile to open it.

   7. Select the **Post** checkbox for both **SAML HTTP Binding for SSO Requests to IDP** and **SAML HTTP Binding for SLO Requests to IDP**.

      ![A screen capture of the SAML Identity Provider Server Profile window in Palo Alto NGFW.](_images/xoo1597964619772.png)

   8. **Optional:** Adjust the clock skew in the **Maximum Clock Skew (seconds)** field.

   9. Click **OK**.

2. Create the authentication profile in NGFW.

   1. In Palo Alto Networks NGFW, go to the **Device** tab, and then click **Authentication Profile**.

   2. Click **Add**, and enter a profile name in the **Name** field.

   3. From the **Type** list, select **SAML**.

   4. From the **IdP Server Profile** list, select the SAML profile.

   5. From the **Certificate for Signing Requests** list, select the certificate of your GlobalProtect portal that you have created prior to this configuration. This will be used to sign the SAML message to the IdP.

   6. From the **Certificate Profile** list, select the certificate profile that you have created prior to this configuration.

      |   |                                                                                                                                                 |
      | - | ----------------------------------------------------------------------------------------------------------------------------------------------- |
      |   | When using a CA-signed certificate in PingFederate, import the root CA in **Device → Certificates**, and include it in the certificate profile. |

      ![A screen capture of the Authentication Profile window in Palo Alto NGFW.](_images/hdr1593539204670.png)

      |   |                                                                                                                            |
      | - | -------------------------------------------------------------------------------------------------------------------------- |
      |   | If you want to add multi-factor authentication (MFA), we recommend adding it from the PingFederate administrative console. |

   7. Go to the **Advanced** tab, and then click **Add**.

   8. Select the groups that you want to be included in this Authentication Profile, and then click **OK**.

      ![A screen capture of the Authentication window in Palo Alto NGFW.](_images/zwo1593539719142.png)

3. Add the authentication profile to the GlobalProtect Portal.

   1. In Palo Alto Networks NGFW, go to **Network → GlobalProtect → Portals**, and then select the portal that you want to configure.

      |   |                                                                                                                                                                                                                                  |
      | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
      |   | For information on creating a portal, see [Set Up Access to the GlobalProtect Portal](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-portals/set-up-access-to-the-globalprotect-portal). |

   2. Under Server Authentication, select the ssl service profile to the portal.

   3. Under Client Authentication, click **Add**.

   4. In the **Client Authentication** window, enter a name in the **Name** field. From the **Authentication Profile** list, select the authentication profile.

      ![A screen capture of the Client Authentication window in Palo Alto NGFW.](_images/xej1593540104445.png)

   5. **Optional:** From the **Allow Authentication with User Credentials OR Client Certificate** list, select **Yes**.

   6. Click **OK**.

   7. Go to the **Agent** tab and set the trusted root CA.

   8. Under Agent, click **Add**.

   9. On the **Authentication** tab, enter a name in the **Name** field. From the **Save User Credentials** list, select **Save Username Only**.

      ![A screen capture of the Configs window in Palo Alto NGFW.](_images/fts1593540204970.png)

   10. Go to the **External** tab. Under External Gateways, click **Add**.

   11. Enter a name in the **Name** field, and then enter the FQDN or IP address for the agent.

       ![A screen capture of the External Gateway window in Palo Alto NGFW.](_images/tjs1593540477645.png)

   12. Go to the **App** tab and review your configuration. Make any changes if required, and then click **OK**.

       |   |                                                                                                                                                                                                                                        |
       | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
       |   | Make sure the Gateway is configured. For more information, see [Configure a GlobalProtect Gateway](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/configure-a-globalprotect-gateway). |

4. Export the metadata file from NGFW.

   1. Click the **Metadata** link of the authentication profile.

      ![A screen capture showing the Metadata link alongside the authentication profile.](_images/ars1593541453709.png)

   2. From the **Service** list, select **global-protect**.

   3. From the **Virtual System** list, select the virtual system.

   4. In the **IP or Hostname** field, select the URL of your GlobalProtect portal, and then click **OK**.

      ![A screen capture of the SAML Metadata Export window in Palo Alto NGFW.](_images/qpb1593541555986.png)

## Importing the NGFW Metadata into PingFederate

To complete the integration, import the metadata file from NGFW and finish the service provider (SP) configuration in PingFederate.

### Steps

1. Create an SP in PingFederate, and import the NGFW metadata file.

   1. In the PingFederate administrative console, go to **Applications → Integration → SP Connections**, and then click **Create Connection**.

      ![A screen capture of the SP Connections window in the administrative console.](_images/amu1593553427790.png)

   2. On the **Connection Template** tab, select **Do Not Use a Template for This Connection**, and then click **Next**.

   3. On the **Connection Type** tab, select the **Browser SSO Profiles** checkbox, and select **SAML 2.0** from the **Protocol** list. Click **Next**.

   4. On the **Connection Options** tab, accept the default election and click **Next**.

   5. On the **Import Metadata** tab, select the **File** checkbox and then click **Choose File**. Select the NGFW metadata file and then click **Next**.

      ![A screen capture of the Import Metadata tab in the administrative console.](_images/wsg1593553769958.png)

   6. On the **Metadata Summary** tab, ensure the imported **EntityID** field is correct, and then click **Next**.

   7. On the **General Info** tab, review the imported **Base URL** field, and then click **Next**.

      ![A screen capture of the General Info tab in the administrative console.](_images/gur1593556103752.png)

   8. On the **Browser SSO** tab, click **Configure Browser SSO**.

      ![A screen capture of the Browser SSO tab in the administrative console.](_images/tcx1593556313243.png)

   9. On the **SAML Profiles** tab, select the **SP-Initiated SSO** checkbox, and then click **Next**.

      ![A screen capture of the SAML Profiles tab in the administrative console.](_images/kfm1593556401432.png)

   10. On the **Assertion Lifetime** tab, accept the default values and click **Next**.

   11. On the **Assertion Creation** tab, click **Configure Assertion Creation**.

       ![A screen capture of the Assertion Creation tab in the administrative console.](_images/mdn1593556618758.png)

   12. Click **Next** until you reach the **Authentication Source Mapping** tab, accepting the default values.

   13. On the **Authentication Source Mapping** tab, an Adapter Instance or Authentication Policy Contract must exist. Click **Map New Adapter Instance**.

       ![A screen capture of the Authentication Source Mapping tab in the administrative console.](_images/ghg1593556757925.png)

   14. On the **Adapter Instance** tab, select **HTML Form Adapter** from the **Adapter Instance** list, and then click **Next**.

       ![A screen capture of the Adapter Instance tab in the administrative console.](_images/ngd1593556824004.png)

   15. On the **Mapping Method** tab, accept the default values and click **Next**.

   16. On the **Attribute Contract Fulfillment** tab, select **Adapter** from the **Source** list and select **username** from the **Value** list. Click **Next**.

       ![A screen capture of the Attribute Contract Fulfillment tab in the administrative console.](_images/zrm1593556923492.png)

   17. Click **Next** and **Done** until you return to the **Protocol Settings** tab, accepting the default values. Click **Configure Protocol Settings**.

   18. On the **Assertion Consumer Service URL** tab, ensure that the Endpoint URL is correct, and then click **Next**.

       ![A screen capture of the Assertion Consumer Service URL tab in the administrative console.](_images/yfn1593557000819.png)

   19. On the **Allowable SAML Bindings** tab, select **POST** and then click **Next**.

       ![A screen capture of the Allowable SAML Bindings tab in the administrative console.](_images/fku1593557072875.png)

   20. Click **Next** and **Done** until you return to the **Credentials** tab. Click **Configure Credentials**.

       ![A screen capture of the Credentials tab in the administrative console.](_images/npa1593557141604.png)

   21. On the **Digital Signature Settings** tab, select a signing certificate from the **Signing Certificate** list. Click **Done**.

       ![A screen capture of the Digital Signature Settings tab in the administrative console.](_images/rlr1593557207609.png)

   22. On the **Credentials** tab, click **Next**.

   23. On the **Activation & Summary** tab, ensure your connection is enabled with the green toggle switch, and then click **Save**.

       ![A screen capture of the Activation & Summary tab in the administrative console.](_images/gud1593557327097.png)

### Troubleshooting

* For basic troubleshooting, see PingFederate [Troubleshooting](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_troubleshooting.html).

  Additional resources include:

  * [PingFederate discussion forum](https://support.pingidentity.com/s/topic/0TO1W000000Q9o7WAC/pingfederate)

  * [PingFederate docs](https://docs.pingidentity.com/pingfederate)

  * [Community discussion forums](https://support.pingidentity.com/s/community-home/)

  * Ping Identity [Support portal](https://support.pingidentity.com/s/)

* For user sign-on issues, identify whether the problem is on PingFederate or GlobalProtect.

  * Sign-on issues with PingFederate might be related to incorrect credentials. For more information, see your PingFederate logs.

  * If authentication completes successfully on PingFederate server and the SAML assertion is sent back to GlobalProtect:

    1. Check the Palo Alto Networks support logs.

    2. Check if the certificate is valid and trusted by the NGFW instance.

    3. Check the clock on both NGFW and PingFederate server, and the clock skew on the SAML Identity Provider Server Profile.