Configure PingFederate as an IdP in the Cloud Identity Engine
Prepare the metadata for the Cloud Identity
Engine app in PingFederate.
If you have not already done so, activate the Cloud Identity
Engine app.
In the Cloud Identity Engine app, select AuthenticationSP MetadataDownload SP Metadata and Save the
metadata in a secure location.
Log in to PingFederate and select SystemSP AffiliationsProtocol MetadataMetadata Export.
Select I am the Identity Provider (IdP) then
click Next.
Select information to include in metadata manually then
click Next.
Select the Signing key you
want to use then click Next.
Ensure that SAML 2.0 is the
protocol then click Next.
Click Next as you don't need to define an
attribute contract.
Select the Signing Certificate and that
you want to Include this certificate’s public key certificate
in the <key info> element.
Select the Signing Algorithm you want
to use then click Next.
Select the same certificate as the Encryption certificate then
click Next.
Review the metadata to verify the settings are correct
then Export the metadata.
Add PingFederate as an authentication type in the Cloud
Identity Engine app.
Select Authentication Types and
click Add New Authentication Type.
Set Up a SAML 2.0 authentication
type.
Enter a Profile Name.
Select PingFederate as your Identity
Provider Vendor.
Select the method you want to use to Add Metadata and Submit the
IdP profile.
If you want to enter the information manually, copy
the identity provider ID and SSO URL, download the certificate,
then enter the information in the Cloud Identity Engine IdP profile.
In PingFederate, select SystemOAuth SettingsProtocol Settings to
copy the Base URL and SAML 2.0
Entity.
Copy the necessary information from PingFederate and enter it in the IdP profile on the Cloud
Identity Engine app as indicated in the following table:
Copy or Download from
PingFederate
Enter in Cloud Identity Engine
IdP Profile
Copy the SAML 2.0
Entity ID.
Enter it as the
Identity Provider
ID.
Copy the Base
URL.
Enter the URL as the
Identity Provider SSO
URL.
In PingFederate, select SecuritySigning & Decryption Keys & Certificates to Export the certificate
you want to use.
In the Cloud Identity Engine app, click Browse files to select the
PingFederate certificate.
Select the HTTP Binding for SSO Request to IdP method you want to use for
the SAML binding that allows the firewall and IdP to exchange
request and response messages:
HTTP Redirect—Transmit SAML
messages through URL parameters.
HTTP Post—Transmit SAML messages
using base64-encoded HTML.
If you want to upload a metadata file, download the metadata file from your IdP management
system.
Locate the metadata file from the first step.
In the Cloud Identity Engine app, click Browse
files to select the metadata file, then
Open the metadata file.
If you don't want to
enter the configuration information now, you can Do it
later. This option allows you to submit the profile
without including configuration information. However, you must edit the
profile to include the configuration information to use the
authentication type in an authentication profile.
The
Cloud Identity Engine does not currently support the Get
URL method for PingFederate.
Specify the Maximum Clock Skew (seconds), which is the
allowed difference in seconds between the system times of the IdP and the
firewall at the moment when the firewall validates IdP messages (default is 60;
range is 1–900). If the difference exceeds this value, authentication
fails.
To require users to log in using their credentials to reconnect to
GlobalProtect, enable Force Authentication.
Test SAML setup to verify the
profile configuration.
This step is necessary to confirm that your firewall and IdP can
communicate.
Select the SAML attributes you want the firewall to use
for authentication and Submit the IdP profile.
In the Cloud Identity Engine, select the Username Attribute.
(Optional) Select the Usergroup Attribute, Access
Domain, User Domain, and Admin
Role.
