Importing the NGFW Metadata into PingFederate
To complete the integration, import the metadata file from NGFW and finish the service provider (SP) configuration in PingFederate.
Steps
-
Create an SP in PingFederate, and import the NGFW metadata file.
-
In the PingFederate administrative console, go to Applications → Integration → SP Connections, and then click Create Connection.
-
On the Connection Template tab, select Do Not Use a Template for This Connection, and then click Next.
-
On the Connection Type tab, select the Browser SSO Profiles check box, and select SAML 2.0 from the Protocol list. Click Next.
-
On the Connection Options tab, accept the default election and click Next.
-
On the Import Metadata tab, select the File check box and then click Choose File. Select the NGFW metadata file from step 4 of Configuring a SAML Integration with PingFederate in NGFW, and then click Next.
-
On the Metadata Summary tab, ensure the imported EntityID field is correct, and then click Next.
-
On the General Info tab, review the imported Base URL field, and then click Next.
-
On the Browser SSO tab, click Configure Browser SSO.
-
On the SAML Profiles tab, select the SP-Initiated SSO check box, and then click Next.
-
On the Assertion Lifetime tab, accept the default values and click Next.
-
On the Assertion Creation tab, click Configure Assertion Creation.
-
Click Next until you reach the Authentication Source Mapping tab, accepting the default values.
-
On the Authentication Source Mapping tab, an Adapter Instance or Authentication Policy Contract must exist. Click Map New Adapter Instance.
-
On the Adapter Instance tab, select HTML Form Adapter from the Adapter Instance list, and then click Next.
-
On the Mapping Method tab, accept the default values and click Next.
-
On the Attribute Contract Fulfillment tab, select Adapter from the Source list and select username from the Value list. Click Next.
-
Click Next and Done until you return to the Protocol Settings tab, accepting the default values. Click Configure Protocol Settings.
-
On the Assertion Consumer Service URL tab, ensure that the Endpoint URL is correct, and then click Next.
-
On the Allowable SAML Bindings tab, select POST and then click Next.
-
Click Next and Done until you return to the Credentials tab. Click Configure Credentials.
-
On the Digital Signature Settings tab, select a signing certificate from the Signing Certificate list. Click Done.
-
On the Credentials tab, click Next.
-
On the Activation & Summary tab, ensure your connection is enabled with the green toggle switch, and then click Save.
-
Troubleshooting
-
For basic troubleshooting, see Troubleshooting.
-
For documentation and Knowledge Base articles, see the Ping Identity Support portal.
-
More information and troubleshooting can be found in the Ping Identity product documentation.
-
For user sign-on issues, identify whether the problem is on PingFederate or GlobalProtect.
-
Sign-on issues with PingFederate might be related to incorrect credentials. For more information, see your PingFederate logs.
-
If authentication completes successfully on PingFederate server and the SAML assertion is sent back to GlobalProtect:
-
Check the Palo Alto Networks support logs.
-
Check if the certificate is valid and trusted by the NGFW instance.
-
Check the clock on both NGFW and PingFederate server, and the clock skew on the SAML Identity Provider Server Profile.
-
-