Use Cases

Importing the NGFW Metadata into PingFederate

To complete the integration, import the metadata file from NGFW and finish the service provider (SP) configuration in PingFederate.

Steps

  1. Create an SP in PingFederate, and import the NGFW metadata file.

    1. In the PingFederate administrative console, go to Applications → Integration → SP Connections, and then click Create Connection.

      A screen capture of the SP Connections window in the administrative console.
    2. On the Connection Template tab, select Do Not Use a Template for This Connection, and then click Next.

    3. On the Connection Type tab, select the Browser SSO Profiles check box, and select SAML 2.0 from the Protocol list. Click Next.

    4. On the Connection Options tab, accept the default election and click Next.

    5. On the Import Metadata tab, select the File check box and then click Choose File. Select the NGFW metadata file from step 4 of Configuring a SAML Integration with PingFederate in NGFW, and then click Next.

      A screen capture of the Import Metadata tab in the administrative console.
    6. On the Metadata Summary tab, ensure the imported EntityID field is correct, and then click Next.

    7. On the General Info tab, review the imported Base URL field, and then click Next.

      A screen capture of the General Info tab in the administrative console.
    8. On the Browser SSO tab, click Configure Browser SSO.

      A screen capture of the Browser SSO tab in the administrative console.
    9. On the SAML Profiles tab, select the SP-Initiated SSO check box, and then click Next.

      A screen capture of the SAML Profiles tab in the administrative console.
    10. On the Assertion Lifetime tab, accept the default values and click Next.

    11. On the Assertion Creation tab, click Configure Assertion Creation.

      A screen capture of the Assertion Creation tab in the administrative console.
    12. Click Next until you reach the Authentication Source Mapping tab, accepting the default values.

    13. On the Authentication Source Mapping tab, an Adapter Instance or Authentication Policy Contract must exist. Click Map New Adapter Instance.

      A screen capture of the Authentication Source Mapping tab in the administrative console.
    14. On the Adapter Instance tab, select HTML Form Adapter from the Adapter Instance list, and then click Next.

      A screen capture of the Adapter Instance tab in the administrative console.
    15. On the Mapping Method tab, accept the default values and click Next.

    16. On the Attribute Contract Fulfillment tab, select Adapter from the Source list and select username from the Value list. Click Next.

      A screen capture of the Attribute Contract Fulfillment tab in the administrative console.
    17. Click Next and Done until you return to the Protocol Settings tab, accepting the default values. Click Configure Protocol Settings.

    18. On the Assertion Consumer Service URL tab, ensure that the Endpoint URL is correct, and then click Next.

      A screen capture of the Assertion Consumer Service URL tab in the administrative console.
    19. On the Allowable SAML Bindings tab, select POST and then click Next.

      A screen capture of the Allowable SAML Bindings tab in the administrative console.
    20. Click Next and Done until you return to the Credentials tab. Click Configure Credentials.

      A screen capture of the Credentials tab in the administrative console.
    21. On the Digital Signature Settings tab, select a signing certificate from the Signing Certificate list. Click Done.

      A screen capture of the Digital Signature Settings tab in the administrative console.
    22. On the Credentials tab, click Next.

    23. On the Activation & Summary tab, ensure your connection is enabled with the green toggle switch, and then click Save.

      A screen capture of the Activation & Summary tab in the administrative console.

Troubleshooting

  • For basic troubleshooting, see Troubleshooting.

  • For documentation and Knowledge Base articles, see the Ping Identity Support portal.

  • More information and troubleshooting can be found in the Ping Identity product documentation.

  • For user sign-on issues, identify whether the problem is on PingFederate or GlobalProtect.

    • Sign-on issues with PingFederate might be related to incorrect credentials. For more information, see your PingFederate logs.

    • If authentication completes successfully on PingFederate server and the SAML assertion is sent back to GlobalProtect:

      1. Check the Palo Alto Networks support logs.

      2. Check if the certificate is valid and trusted by the NGFW instance.

      3. Check the clock on both NGFW and PingFederate server, and the clock skew on the SAML Identity Provider Server Profile.