If you have not already done so, activate the Cloud Identity
Engine app.
In the Cloud Identity Engine app, select AuthenticationSP MetadataDownload SP Metadata and Save the
metadata in a secure location.
Log in to PingOne and select ApplicationsMy ApplicationsAdd ApplicationNew SAML Application.
Enter an Application Name,
an Application Description, and select the Category then Continue
to Next Step.
Select I have the SAML configuration and
ensure the Protocol Version is SAML
v 2.0.
Click Select File to Upload
Metadata
Copy the metadata information from the Cloud Identity Engine
and enter it in PingOne as described in the following table:
Copy from Cloud Identity Engine
Enter in PingOne
Copy the Entity ID from
the SP Metadata page.
Enter it as the Entity ID.
Copy the Assertion Consumer Service
URL.
Enter the URL as the Assertion Consumer
Service (ACS).
Select either RSA_SHA384 or RSA_SHA256 as
the Signing Algorithm.
If you want to require users to log in with their credentials to
reconnect to GlobalProtect, select Force
Re-authentication.
(Required for MFA) If you want to require multi-factor authentication
for your users, select Force MFA.
Click Continue to Next Step to specify
the attributes for the users you want to authenticate using PingOne.
Specify the Application Attribute and
the associated Identity Bridge Attribute or Literal Value for
your user then select Required.
Be sure to assign the account you're using so you can test the configuration when it's
complete. You may need to refresh the page after adding accounts to
successfully complete the test.
Click Add new attribute as
needed to include additional attributes then Continue
to next step to specify the group attributes.
Add the groups you want to
authenticate using PingOne or Search for
the groups you want to add then Continue to next step to
review your configuration.
Add PingOne as an authentication type in the Cloud Identity Engine
app.
Select Authentication Types and
click Add New Authentication Type.
Set Up a SAML 2.0 authentication
type.
Enter a Profile Name.
Select PingOne as your Identity
Provider Vendor.
Select the method you want to use to Add Metadata and Submit the
IdP profile.
If you want to enter the information manually, copy
the identity provider ID and SSO URL, download the certificate,
then enter the information in the Cloud Identity Engine IdP profile.
In PingOne, select ApplicationsMy Applications then select
the Cloud Identity Engine app.
Copy the necessary information from PingOne and enter it in the IdP profile on the Cloud
Identity Engine app as indicated in the following table:
Copy or Download from Okta
Admin Console
Enter in Cloud Identity Engine
IdP Profile
Copy the
Issuer ID.
Enter it as the
Identity Provider
ID.
Download
the Signing
Certificate.
Click to
Upload the certificate from the Okta
Admin Console.
Copy the Initiate
Single Sign-On (SSO)
URL.
Enter the URL as the
Identity Provider SSO
URL.
If you want to upload a metadata file, download the metadata file from your IdP management
system.
In PingOne, select ApplicationsMy Applications then select the Cloud Identity Engine app.
Download the SAML
Metadata.
In the Cloud Identity Engine app, click Browse
files to select the metadata file, then
Open the metadata file.
To use the Get URL method, copy the URL from your
IdP and enter it in Cloud Identity Engine.
Log in to Ping One using your administrator credentials.
Select Applications then select the
application you created in step 1.c.
Copy the SAML Metadata
URL and save it in a secure location.
In the Cloud Identity Engine, select Get
URL and the Add Metadata
method and paste the URL you copied in the previous step as the
Identity Provider Metadata URL.
Click Get URL to confirm the URL and
populate the Identity Provider ID and
Identity Provider SSO URL.
If you don't want to
enter the configuration information now, you can Do it
later. This option allows you to submit the profile
without including configuration information. However, you must edit the
profile to include the configuration information to use the
authentication type in an authentication profile.
Select the HTTP Binding for SSO Request to IdP method
you want to use for the SAML binding that allows the firewall and IdP to
exchange request and response messages:
HTTP Redirect—Transmit SAML messages through URL
parameters.
HTTP Post—Transmit SAML messages using
base64-encoded HTML.
Specify the Maximum Clock Skew (seconds), which is the
allowed difference in seconds between the system times of the IdP and the
firewall at the moment when the firewall validates IdP messages (default is 60;
range is 1–900). If the difference exceeds this value, authentication
fails.
If your IdP requires users to log in using multi-factor authentication (MFA),
select Multi-factor Authentication is Enabled on the Identity
Provider.
If you enabled the Force Re-authentication option in
step 1.9, enable the
Force Authentication option to require users to log
in with their credentials to reconnect to GlobalProtect.
Test SAML setup to verify the profile configuration.
This step is necessary to confirm that your firewall and IdP can
communicate.
Select the SAML attributes you want the firewall to use
for authentication and Submit the IdP profile.
In the Okta Admin Console, Edit the User
Attributes & Claims.
In the Cloud Identity Engine, select the Username Attribute and
optionally, the Usergroup Attribute,
Access Domain, User
Domain, and Admin Role, then
Submit your changes.
You must select
the username attribute in the Okta Admin Console for the attribute
to display in the Cloud Identity Engine.