--- title: Integrating Pulse Connect Secure with PingFederate description: Learn how to integrate Pulse Connect Secure with PingFederate for single sign-on (SSO). component: solution-guides page_id: solution-guides:workforce_use_cases:htg_integrate_pulse_connect_secure_with_pf canonical_url: https://docs.pingidentity.com/solution-guides/workforce_use_cases/htg_integrate_pulse_connect_secure_with_pf.html revdate: April 13, 2025 page_aliases: ["workforce_use_cases:htg_integrate_pulse_connect_secure_with_pf_metadata.adoc", "workforce_use_cases:htg_integrate_pulse_connect_secure_with_pf_signing_cert.adoc", "workforce_use_cases:htg_integrate_pulse_connect_secure_with_pf_saml_pf.adoc", "workforce_use_cases:htg_integrate_pulse_connect_secure_with_pf_saml_pcs.adoc"] section_ids: component: Component before-you-begin: Before you begin exporting-saml-metadata-from-pingfederate: Exporting SAML metadata from PingFederate steps: Steps exporting-signing-cert-from-pingfed: Exporting the signing certificate from PingFederate steps-2: Steps configuring-saml-integration-with-pingfederate-in-pulse-connect-secure: Configuring SAML integration with PingFederate in Pulse Connect Secure steps-3: Steps configuring-saml-integration-with-pulse-connect-secure-in-pingfederate: Configuring SAML integration with Pulse Connect Secure in PingFederate steps-4: Steps result: Result: result-2: Result: result-3: Result: result-4: Result: result-5: Result: result-6: Result: result-7: Result: result-8: Result: result-9: Result: result-10: Result: --- # Integrating Pulse Connect Secure with PingFederate Learn how to integrate Pulse Connect Secure with PingFederate for single sign-on (SSO). ## Component PingFederate 10.3 ## Before you begin * Configure a PingFederate data store. Learn more in [Datastores](https://docs.pingidentity.com/pingfederate/latest/introduction_to_pingfederate/pf_datastores.html). * Configure a PingFederate [Password Credential Validator](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_passwordcredentialvalidatortasklet_passwordcredentialvalidatormgmtstate.html). * Configure a PingFederate [HTML Form Adapter](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_html_form_adapt.html). * Configure a Pulse Connect Secure authentication realm for your users. * Configure a Pulse Connect Secure sign-on policy for your users. ## Exporting SAML metadata from PingFederate ### Steps 1. Sign on to the PingFederate administrative console and go to **System → Protocol Metadata → Metadata Export**. 2. On the **Metadata Role** tab, select **I am the Identity Provider (IdP)**, and then click **Next**. ![A screen capture of the Metadata Role tab in the administrative console.](../_images/zbi1593474042547.png) 3. On the **Metadata Mode** tab, select **Select Information to Include in Metadata Manually**, and then click **Next**. ![A screen capture of the Metadata Mode tab in the administrative console.](../_images/pvo1593474233350.png) 4. On the **Protocol** tab, click **Next** until you reach the **Signing Key** tab, accepting the default values. 5. On the **Signing Key** tab, select an available signing key from the **Digital Signature Keys/Certs** list, and then click **Next**. If none are available, click **Manage Certificates** to create a signing key, and then follow the on-screen instructions. | | | | - | --------------------------------------------------------------------------------------- | | | Although you can use a self-signed certificate, a CA-signed certificate is recommended. | ![A screen capture of Signing Key tab in the administrative console.](../_images/sga1593474593063.png) 6. Click **Next** until you reach the **Export & Summary** tab, accepting the default values on the **Metadata Signing** and **XML Encryption Certificate** tabs. 7. On the **Export & Summary** tab, click **Export** and save the `metadata.xml` file. You will upload this file to Palo Alto Networks NGFW in the next step. ![A screen capture of the Export & Summary tab in the administrative console.](../_images/lfe1593474764679.png) ## Exporting the signing certificate from PingFederate ### Steps 1. Sign on to the PingFederate administrative console. 2. Go to **Security > Signing & Decryption Keys & Certificates**. 3. In the row of the certificate that you want to use to sign SAML assertions to Pulse Connect Secure, in the **Select Action** list, select **Export**. 4. On the **Export Certificate** tab, click **Certificate Only**. Click **Next**. 5. On the **Export & Summary** tab, click **Export** and save the file. 6. Click **Done**. ## Configuring SAML integration with PingFederate in Pulse Connect Secure ### Steps 1. In the Pulse Connect Secure administrative interface, go to **System > Configuration > SAML**. ![Screen capture of the Pulse Secure administrative console with the System tab selected.](_images/urf1624994919729.png) 2. Click **New Metadata Provider**. 3. Configure the new metadata provider: 1. In the **Name** field, enter a name. 2. In the **Location** field, select **Local**. 3. In the **Upload Metadata File** field, click **Browse** and import the metadata file you saved in [Configuring SSO for GlobalProtect VPN with PingFederate](../single_sign-on_use_cases/htg_config_sso_globalprotect_vpn_pf.html) 4. In the **Signing Certificate** field, click **Browse** and select the certificate file you saved in the previous topic [Exporting the signing certificate from PingFederate](#exporting-signing-cert-from-pingfed). 5. In the **Roles** field, select the **Identity Provider** checkbox. 6. Click **Save Changes**. ![Screen capture of the Pulse Secure administrative console with the New Metadata Provider configuration fields displaying.](_images/dif1624995640138.png) 4. In the Pulse Connect Secure administrative interface, go to **Authentication > Auth Servers**. ![Screen capture of the Pulse Secure administrative console with the Authentication > Auth Servers screen displaying.](_images/wjw1624995770764.png) 5. In the list, select **SAML Server** and then click **New Server**. ![Screen capture of the Server Type list with the SAML Server highlighted in blue.](_images/irt1624995943394.png) 6. Configure the new server: 1. Enter a **Server Name**. 2. For **SAML Version**, click **2.0**. 3. For **Configuration Mode**, click **Metadata**. 4. In the **Identity Provider Entity ID** list, select the identity provider (IdP) that you created in the previous steps. 5. In the **Identity Provider Single Sign On Service URL** list, select the appropriate SSO URL. ![Screen capture of the Pulse Secure administrative console with the New Server configuration page showing the Settings section.](_images/uyg1624998296188.png) 6. In the **SSO Method** section, click **POST**. 7. In the **Select Certificate** list, select the signing certificate you created previously. 8. In the **Metadata Validity** field, enter any non-zero value. | | | | - | ------------------------------------------------------------------------------- | | | You must populate the **Metadata Validity** field even though it won't be used. | 9. Select the **Do Not Publish Connect Secure Metadata** checkbox. 10. Click **Save Changes**. ![Screen capture of the Pulse Secure administrative console with the New Server configuration page showing the SSO Method, Service Provider Metadata Settings, and User Record Synchronization sections.](_images/pnw1624998406067.png) 11. Click **Download Metadata** and save the file. 12. In the Pulse Connect Secure administrative interface, go to **Users > User Realms**. ![Screen capture of the Pulse Secure interface with the User Realms page displaying.](_images/ljq1624998579805.png) 13. Select the authentication realm for your user population. ![Screen capture of the User Authentication Realms page of Pulse Secure.](_images/tri1625595774165.png) 14. In the **Authentication** list, select the IdP that you configured. ![Screen capture of the General tab of the User Realms section of the Pulse Secure console.](_images/hqx1625595929818.png) 15. Click **Save Changes**. ## Configuring SAML integration with Pulse Connect Secure in PingFederate ### Steps 1. In the PingFederate administrative console, go to **Applications > Integration > SP Connections**. 2. Click **Create Connection**. ![Screen capture of the administrative console on the SP Connection page displaying the Create Connection and Import Connection buttons.](_images/nxq1625679939156.png) 3. On the **Connection Template** tab, click **Do not use a template for this connection**. Click **Next**. 4. On the **Connection Type** tab, select the **Browser SSO Profiles** checkbox. 5. In the **Protocol** list, select **SAML 2.0** and click **Next**. 6. On the **Connection Options** tab, click **Next**. 7. On the **Import Metadata** tab, click **File** and then choose the metadata file that you downloaded previously. Click **Next**. ![Screen capture of the administrative console on the Import Metadata tab for creating an SP connection.](_images/pfn1625680046607.png) 8. On the **Metadata Summary** tab, review the **EntityID** field and click **Next**. 9. On the **General Info** tab, review the imported **Base URL** field, then click **Next**. ![Screen capture of the administrative console on the General Info tab for creating an SP connection.](_images/olp1625680129605.png) 10. On the**Browser SSO** tab, click **Configure Browser SSO**. ![Screen capture of the administrative console on the Browser SSO tab for configuring a browser SSO.](_images/nnx1625680222533.png) #### Result: The tabs for the **Browser SSO** section display. 11. Configure the browser SSO: 1. On the **SAML Profiles** tab, select the **SP-Initiated SSO** checkbox. Click **Next**. ![Screen capture of the administrative console on the SAML Profiles tab for configuring a browser SSO.](_images/vlv1625680312534.png) 2. On the **Assertion Lifetime** tab, accept the default values and click **Next**. 3. On the **Assertion Creation** tab, click **Configure Assertion Creation**. ![Screen capture of the administrative console on the Assertion Creation tab for configuring a browser SSO with the Configure Assertion Creation button available.](_images/elq1625680405984.png) #### Result: The tabs for the **Assertion Creation** section display. 12. Configure the assertion creation: 1. On the **Identity Mapping** tab, click **Next**. 2. On the **Attribute Contract** tab, click **Next**. 3. On the **Authentication Source Mapping** tab, click **Map New Adapter Instance**. ![Screen capture of the administrative console on the Authentication Source Mapping tab for configuring an assertion creation.](_images/tym1625680498617.png) #### Result: The tabs for the **IdP Adapter Mapping** section display. 13. Configure the IdP adapter mapping: 1. On the **Adapter Instance** tab, select the HTML form adapter that you created. Click **Next**. ![Screen capture of the PingFederate administrative console on the Adapter Instance tab.](_images/fzr1625680599721.png) 2. On the **Mapping Method** tab, click **Next**. 3. On the **Attribute Contract Fulfillment** tab, in the **Source** list select **Adapter** and in the **Value** list select **username**. Click **Next**. ![Screen capture of the administrative console on the Attribute Contract Fulfillment tab.](_images/wvl1625680681986.png) 4. On the **Issuance Criteria** tab, click **Next**. 5. On the **Summary** tab, click **Done**. #### Result: You return to the **Assertion Creation** section. 14. On the **Authentication Source Mapping** tab, click **Next**. 15. On the **Summary** tab, click **Done**. #### Result: You return to the **Browser SSO** section. 16. On the **Assertion Creation** tab, click **Next**. 17. On the **Protocol Settings** tab, click **Configure Protocol Settings**. #### Result: The tabs for the **Protocol Settings** section display. 18. Configure the protocol settings: 1. On the **Assertion Consumer Service URL** tab, review the **Endpoint URL** value. Click **Next**. ![Screen capture of the administrative console on the Assertion Consumer Service URL tab showing the Endpoint URL for a POST binding.](_images/efp1625680766332.png) 2. On the **Allowable SAML Bindings** tab, ensure that **POST** and **REDIRECT** are the only values checked. Click **Next**. 3. On the **Signature Policy** tab, click **Next**. 4. On the **Encryption Policy** tab, click **Next**. 5. On the **Summary** tab, click **Done**. #### Result: You return to the **Browser SSO** section. 19. On the **Protocol Settings** tab, click **Next**. 20. On the **Summary** tab, click **Done**. #### Result: You return to the **SP Connection** section. 21. On the **Browser SSO** tab, click **Next**. 22. On the **Credentials** tab, click **Configure Credentials**. ![Screen capture of the administrative console on the Credentials tab showing the Configure Credentials button.](_images/fpr1625680880187.png) #### Result: The tabs for the **Credentials** section display. 23. Configure the credentials: 1. On the **Digital Signature Settings** tab, select the **Signing Certificate** that you chose in [Exporting the signing certificate from PingFederate](#exporting-signing-cert-from-pingfed). Click **Next**. ![Screen capture of the administrative console on the Digital Signature Settings tab with the Manage Certificates button available.](_images/oeq1625680981801.png) 2. On the **Summary** tab, click **Done**. #### Result: You return to the **SP Connection** section. 24. On the **Credentials** tab, click **Next**. 25. On the **Activation & Summary** tab, click **Save**. ![Screen capture of the administrative console on the Activation & Summary tab of the SP Connection section.](_images/amf1625599569132.png)