Use Cases

Integrating Pulse Connect Secure with PingFederate

Learn how to integrate Pulse Connect Secure with PingFederate for single sign-on (SSO).

Component

PingFederate 10.3

Before you begin

  • Configure a PingFederate data store. For more information, see Datastores.

  • Configure a PingFederate Password Credential Validator.

  • Configure a PingFederate HTML Form Adapter.

  • Configure a Pulse Connect Secure authentication realm for your users.

  • Configure a Pulse Connect Secure sign-on policy for your users.

Exporting SAML metadata from PingFederate

Steps

  1. Sign on to the PingFederate administrative console and go to System → Protocol Metadata → Metadata Export.

  2. On the Metadata Role tab, select I am the Identity Provider (IdP), and then click Next.

    A screen capture of the Metadata Role tab in the administrative console.
  3. On the Metadata Mode tab, select Select Information to Include in Metadata Manually, and then click Next.

    A screen capture of the Metadata Mode tab in the administrative console.
  4. On the Protocol tab, click Next until you reach the Signing Key tab, accepting the default values.

  5. On the Signing Key tab, select an available signing key from the Digital Signature Keys/Certs list, and then click Next. If none are available, click Manage Certificates to create a signing key, and then follow the on-screen instructions.

    Although you can use a self-signed certificate, a CA-signed certificate is recommended.

    A screen capture of Signing Key tab in the administrative console.
  6. Click Next until you reach the Export & Summary tab, accepting the default values on the Metadata Signing and XML Encryption Certificate tabs.

  7. On the Export & Summary tab, click Export and save the metadata.xml file. You will upload this file to Palo Alto Networks NGFW in the next step.

    A screen capture of the Export & Summary tab in the administrative console.

Exporting the signing certificate from PingFederate

Steps

  1. Sign on to the PingFederate administrative console.

  2. Go to Security → → Signing & Decryption Keys & Certificates.

  3. In the row of the certificate that you want to use to sign SAML assertions to Pulse Connect Secure, in the Select Action list, select Export.

  4. On the Export Certificate tab, click Certificate Only. Click Next.

  5. On the Export & Summary tab, click Export and save the file.

  6. Click Done.

Configuring SAML integration with PingFederate in Pulse Connect Secure

Steps

  1. In the Pulse Connect Secure administrative interface, go to System → Configuration → SAML.

    Screen capture of the Pulse Secure administrative console with the System tab selected.
  2. Click New Metadata Provider.

  3. Configure the new metadata provider:

    1. In the Name field, enter a name.

    2. In the Location field, select Local.

    3. In the Upload Metadata File field, click Browse and import the metadata file you saved in Exporting the SAML Metadata from PingFederate with PingFederate.

    4. In the Signing Certificate field, click Browse and select the certificate file you saved in the previous topic Exporting the signing certificate from PingFederate.

    5. In the Roles field, select the Identity Provider check box.

    6. Click Save Changes.

      Screen capture of the Pulse Secure administrative console with the New Metadata Provider configuration fields displaying.
  4. In the Pulse Connect Secure administrative interface, go to Authentication → Auth Servers.

    Screen capture of the Pulse Secure administrative console with the Authentication > Auth Servers screen displaying.
  5. In the list, select SAML Server and then click New Server.

    Screen capture of the Server Type list with the SAML Server highlighted in blue.
  6. Configure the new server:

    1. Enter a Server Name.

    2. For SAML Version, click 2.0.

    3. For Configuration Mode, click Metadata.

    4. In the Identity Provider Entity ID list, select the identity provider (IdP) that you created in the previous steps.

    5. In the Identity Provider Single Sign On Service URL list, select the appropriate SSO URL.

      Screen capture of the Pulse Secure administrative console with the New Server configuration page showing the Settings section.
    6. In the SSO Method section, click POST.

    7. In the Select Certificate list, select the signing certificate you created previously.

    8. In the Metadata Validity field, enter any non-zero value.

      You must populate the Metadata Validity field even though it won’t be used.

    9. Select the Do Not Publish Connect Secure Metadata check box.

    10. Click Save Changes.

      Screen capture of the Pulse Secure administrative console with the New Server configuration page showing the SSO Method, Service Provider Metadata Settings, and User Record Synchronization sections.
  7. Click Download Metadata and save the file.

  8. In the Pulse Connect Secure administrative interface, go to Users → User Realms.

    Screen capture of the Pulse Secure interface with the User Realms page displaying.
    1. Select the authentication realm for your user population.

      Screen capture of the User Authentication Realms page of Pulse Secure.
    2. In the Authentication list, select the IdP that you configured.

      Screen capture of the General tab of the User Realms section of the Pulse Secure console.
    3. Click Save Changes.

Configuring SAML integration with Pulse Connect Secure in PingFederate

Steps

  1. In the PingFederate administrative console, go to Applications → Integration → SP Connections.

  2. Click Create Connection.

    Screen capture of the administrative console on the SP Connection page displaying the Create Connection and Import Connection buttons.
  3. On the Connection Template tab, click Do not use a template for this connection. Click Next.

  4. On the Connection Type tab, select the Browser SSO Profiles check box.

  5. In the Protocol list, select SAML 2.0 and click Next.

  6. On the Connection Options tab, click Next.

  7. On the Import Metadata tab, click File and then choose the metadata file that you downloaded previously. Click Next.

    Screen capture of the administrative console on the Import Metadata tab for creating an SP connection.
  8. On the Metadata Summary tab, review the EntityID field and click Next.

  9. On the General Info tab, review the imported Base URL field, then click Next.

    Screen capture of the administrative console on the General Info tab for creating an SP connection.
  10. On theBrowser SSO tab, click Configure Browser SSO.

    Screen capture of the administrative console on the Browser SSO tab for configuring a browser SSO.

    Result:

    The tabs for the Browser SSO section display.

  11. Configure the browser SSO:

    1. On the SAML Profiles tab, select the SP-Initiated SSO check box. Click Next.

      Screen capture of the administrative console on the SAML Profiles tab for configuring a browser SSO.
    2. On the Assertion Lifetime tab, accept the default values and click Next.

    3. On the Assertion Creation tab, click Configure Assertion Creation.

      Screen capture of the administrative console on the Assertion Creation tab for configuring a browser SSO with the Configure Assertion Creation button available.

      Result:

    The tabs for the Assertion Creation section display.

  12. Configure the assertion creation:

    1. On the Identity Mapping tab, click Next.

    2. On the Attribute Contract tab, click Next.

    3. On the Authentication Source Mapping tab, click Map New Adapter Instance.

      Screen capture of the administrative console on the Authentication Source Mapping tab for configuring an assertion creation.

      Result:

    The tabs for the IdP Adapter Mapping section display.

  13. Configure the IdP adapter mapping:

    1. On the Adapter Instance tab, select the HTML form adapter that you created. Click Next.

      Screen capture of the PingFederate administrative console on the Adapter Instance tab.
    2. On the Mapping Method tab, click Next.

    3. On the Attribute Contract Fulfillment tab, in the Source list select Adapter and in the Value list select username. Click Next.

      Screen capture of the administrative console on the Attribute Contract Fulfillment tab.
    4. On the Issuance Criteria tab, click Next.

    5. On the Summary tab, click Done.

      Result:

    You return to the Assertion Creation section.

  14. On the Authentication Source Mapping tab, click Next.

  15. On the Summary tab, click Done.

    Result:

    You return to the Browser SSO section.

  16. On the Assertion Creation tab, click Next.

  17. On the Protocol Settings tab, click Configure Protocol Settings.

    Result:

    The tabs for the Protocol Settings section display.

  18. Configure the protocol settings:

    1. On the Assertion Consumer Service URL tab, review the Endpoint URL value. Click Next.

      Screen capture of the administrative console on the Assertion Consumer Service URL tab showing the Endpoint URL for a POST binding.
    2. On the Allowable SAML Bindings tab, ensure that POST and REDIRECT are the only values checked. Click Next.

    3. On the Signature Policy tab, click Next.

    4. On the Encryption Policy tab, click Next.

    5. On the Summary tab, click Done.

      Result:

      You return to the Browser SSO section.

  19. On the Protocol Settings tab, click Next.

  20. On the Summary tab, click Done.

    Result:

    You return to the SP Connection section.

  21. On the Browser SSO tab, click Next.

  22. On the Credentials tab, click Configure Credentials.

    Screen capture of the administrative console on the Credentials tab showing the Configure Credentials button.

    Result:

    The tabs for the Credentials section display.

  23. Configure the credentials:

    1. On the Digital Signature Settings tab, select the Signing Certificate that you chose in Exporting the signing certificate from PingFederate. Click Next.

      Screen capture of the administrative console on the Digital Signature Settings tab with the Manage Certificates button available.
    2. On the Summary tab, click Done.

      Result:

    You return to the SP Connection section.

  24. On the Credentials tab, click Next.

  25. On the Activation & Summary tab, click Save.

    Screen capture of the administrative console on the Activation & Summary tab of the SP Connection section.