Use Cases

Configuring a SAML Integration with PingFederate in NGFW

Steps

  1. Configure the SAML IdP server profile in NGFW.

    1. Sign on to Palo Alto Networks NGFW as an administrator, and then go to the Device tab.

    2. To import the metadata from PingFederate, go to Server Profiles → SAML Identity Provider, and then click Import.

    3. Enter a name in the Profile Name field, and then click Browse and select the metadata.xml file from step 7 of Exporting the SAML Metadata from PingFederate.

      A screen capture of the SAML Identity Provider Server Profile Import window in Palo Alto NGFW.
    4. Optional: If you are using a self-signed certificate in PingFederate, clear the Validate Identity Provider Certificate check box.

      A screen capture of the SAML Identity Provider Server Profile Import window in Palo Alto NGFW.
    5. Click OK.

    6. Click on your newly-created profile to open it.

    7. Select the Post check box for both SAML HTTP Binding for SSO Requests to IDP and SAML HTTP Binding for SLO Requests to IDP.

      A screen capture of the SAML Identity Provider Server Profile window in Palo Alto NGFW.
    8. Optional: Adjust the clock skew in the Maximum Clock Skew (seconds) field.

    9. Click OK.

  2. Create the authentication profile in NGFW.

    1. In Palo Alto Networks NGFW, go to the Device tab, and then click Authentication Profile.

    2. Click Add, and enter a profile name in the Name field.

    3. From the Type list, select SAML.

    4. From the IdP Server Profile list, select the SAML profile from step #/server_profile.

    5. From the Certificate for Signing Requests list, select the certificate of your GlobalProtect portal that you have created prior to this configuration. This will be used to sign the SAML message to the IdP.

    6. From the Certificate Profile list, select the certificate profile that you have created prior to this configuration.

      When using a CA-signed certificate in PingFederate, import the root CA in Device → Certificates, and include it in the certificate profile.

      A screen capture of the Authentication Profile window in Palo Alto NGFW.

      If you want to add multi-factor authentication (MFA), we recommend adding it from the PingFederate administrative console.

    7. Go to the Advanced tab, and then click Add.

    8. Select the groups that you want to be included in this Authentication Profile, and then click OK.

      A screen capture of the Authentication window in Palo Alto NGFW.
  3. Add the authentication profile to the GlobalProtect Portal.

    1. In Palo Alto Networks NGFW, go to Network → GlobalProtect → Portals, and then select the portal that you want to configure.

      For information on creating a portal, see Set Up Access to the GlobalProtect Portal.

    2. Under Server Authentication, select the ssl service profile to the portal.

    3. Under Client Authentication, click Add.

    4. In the Client Authentication window, enter a name in the Name field. From the Authentication Profile list, select the authentication profile from step #/auth-profile.

      A screen capture of the Client Authentication window in Palo Alto NGFW.
    5. Optional: From the Allow Authentication with User Credentials OR Client Certificate list, select Yes.

    6. Click OK.

    7. Go to the Agent tab and set the trusted root CA.

    8. Under Agent, click Add.

    9. On the Authentication tab, enter a name in the Name field. From the Save User Credentials list, select Save Username Only.

      A screen capture of the Configs window in Palo Alto NGFW.
    10. Go to the External tab. Under External Gateways, click Add.

    11. Enter a name in the Name field, and then enter the FQDN or IP address for the agent.

      A screen capture of the External Gateway window in Palo Alto NGFW.
    12. Go to the App tab and review your configuration. Make any changes if required, and then click OK.

      Make sure the Gateway is configured. For more information, see Configure a GlobalProtect Gateway.

  4. Export the metadata file from NGFW.

    1. Click the Metadata link of the authentication profile from step #/auth-profile.

      A screen capture showing the Metadata link alongside the authentication profile.
    2. From the Service list, select global-protect.

    3. From the Virtual System list, select the virtual system.

    4. In the IP or Hostname field, select the URL of your GlobalProtect portal, and then click OK.

      A screen capture of the SAML Metadata Export window in Palo Alto NGFW.