---
title: Configuring a SAML Integration with PingFederate in NGFW
description: Configure the SAML IdP server profile in NGFW.
component: solution-guides
page_id: solution-guides:single_sign-on_use_cases:htg_config_sso_globalprotect_vpn_pf_saml_ngfw
canonical_url: https://docs.pingidentity.com/solution-guides/single_sign-on_use_cases/htg_config_sso_globalprotect_vpn_pf_saml_ngfw.html
revdate: May 1, 2024
section_ids:
  steps: Steps
---

# Configuring a SAML Integration with PingFederate in NGFW

## Steps

1. Configure the SAML IdP server profile in NGFW.

   1. Sign on to Palo Alto Networks NGFW as an administrator, and then go to the **Device** tab.

   2. To import the metadata from PingFederate, go to **Server Profiles → SAML Identity Provider**, and then click **Import**.

   3. Enter a name in the **Profile Name** field, and then click **Browse** and select the `metadata.xml` file from step 7 of [Exporting the SAML Metadata from PingFederate](htg_config_sso_globalprotect_vpn_pf_export_saml_metadata.html).

      ![A screen capture of the SAML Identity Provider Server Profile Import window in Palo Alto NGFW.](_images/jhe1593476209245.png)

   4. **Optional:** If you are using a self-signed certificate in PingFederate, clear the **Validate Identity Provider Certificate** checkbox.

      ![A screen capture of the SAML Identity Provider Server Profile Import window in Palo Alto NGFW.](_images/uen1597963918494.png)

   5. Click **OK**.

   6. Click on your newly-created profile to open it.

   7. Select the **Post** checkbox for both **SAML HTTP Binding for SSO Requests to IDP** and **SAML HTTP Binding for SLO Requests to IDP**.

      ![A screen capture of the SAML Identity Provider Server Profile window in Palo Alto NGFW.](_images/xoo1597964619772.png)

   8. **Optional:** Adjust the clock skew in the **Maximum Clock Skew (seconds)** field.

   9. Click **OK**.

2. Create the authentication profile in NGFW.

   1. In Palo Alto Networks NGFW, go to the **Device** tab, and then click **Authentication Profile**.

   2. Click **Add**, and enter a profile name in the **Name** field.

   3. From the **Type** list, select **SAML**.

   4. From the **IdP Server Profile** list, select the SAML profile.

   5. From the **Certificate for Signing Requests** list, select the certificate of your GlobalProtect portal that you have created prior to this configuration. This will be used to sign the SAML message to the IdP.

   6. From the **Certificate Profile** list, select the certificate profile that you have created prior to this configuration.

      |   |                                                                                                                                                 |
      | - | ----------------------------------------------------------------------------------------------------------------------------------------------- |
      |   | When using a CA-signed certificate in PingFederate, import the root CA in **Device → Certificates**, and include it in the certificate profile. |

      ![A screen capture of the Authentication Profile window in Palo Alto NGFW.](_images/hdr1593539204670.png)

      |   |                                                                                                                            |
      | - | -------------------------------------------------------------------------------------------------------------------------- |
      |   | If you want to add multi-factor authentication (MFA), we recommend adding it from the PingFederate administrative console. |

   7. Go to the **Advanced** tab, and then click **Add**.

   8. Select the groups that you want to be included in this Authentication Profile, and then click **OK**.

      ![A screen capture of the Authentication window in Palo Alto NGFW.](_images/zwo1593539719142.png)

3. Add the authentication profile to the GlobalProtect Portal.

   1. In Palo Alto Networks NGFW, go to **Network → GlobalProtect → Portals**, and then select the portal that you want to configure.

      |   |                                                                                                                                                                                                                                  |
      | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
      |   | For information on creating a portal, see [Set Up Access to the GlobalProtect Portal](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-portals/set-up-access-to-the-globalprotect-portal). |

   2. Under Server Authentication, select the ssl service profile to the portal.

   3. Under Client Authentication, click **Add**.

   4. In the **Client Authentication** window, enter a name in the **Name** field. From the **Authentication Profile** list, select the authentication profile.

      ![A screen capture of the Client Authentication window in Palo Alto NGFW.](_images/xej1593540104445.png)

   5. **Optional:** From the **Allow Authentication with User Credentials OR Client Certificate** list, select **Yes**.

   6. Click **OK**.

   7. Go to the **Agent** tab and set the trusted root CA.

   8. Under Agent, click **Add**.

   9. On the **Authentication** tab, enter a name in the **Name** field. From the **Save User Credentials** list, select **Save Username Only**.

      ![A screen capture of the Configs window in Palo Alto NGFW.](_images/fts1593540204970.png)

   10. Go to the **External** tab. Under External Gateways, click **Add**.

   11. Enter a name in the **Name** field, and then enter the FQDN or IP address for the agent.

       ![A screen capture of the External Gateway window in Palo Alto NGFW.](_images/tjs1593540477645.png)

   12. Go to the **App** tab and review your configuration. Make any changes if required, and then click **OK**.

       |   |                                                                                                                                                                                                                                        |
       | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
       |   | Make sure the Gateway is configured. For more information, see [Configure a GlobalProtect Gateway](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/configure-a-globalprotect-gateway). |

4. Export the metadata file from NGFW.

   1. Click the **Metadata** link of the authentication profile.

      ![A screen capture showing the Metadata link alongside the authentication profile.](_images/ars1593541453709.png)

   2. From the **Service** list, select **global-protect**.

   3. From the **Virtual System** list, select the virtual system.

   4. In the **IP or Hostname** field, select the URL of your GlobalProtect portal, and then click **OK**.

      ![A screen capture of the SAML Metadata Export window in Palo Alto NGFW.](_images/qpb1593541555986.png)