Configure PingOne as an IdP in the Cloud Identity Engine

1. Enable the Cloud Identity Engine app in PingOne.

   1. If you have not already done so, activate the Cloud Identity Engine app.
   2. In the Cloud Identity Engine app, select AuthenticationSP MetadataDownload SP Metadata and Save the metadata in a secure location.

   3. Log in to PingOne and select ApplicationsMy ApplicationsAdd ApplicationNew SAML Application.

   4. Enter an Application Name, an Application Description, and select the Category then Continue to Next Step.
   5. Select I have the SAML configuration and ensure the Protocol Version is SAML v 2.0.

   6. Click Select File to Upload Metadata

   7. Copy the metadata information from the Cloud Identity Engine and enter it in PingOne as described in the following table:

      Copy from Cloud Identity Engine	Enter in PingOne
      Copy the Entity ID from the SP Metadata page.	Enter it as the Entity ID.
      Copy the Assertion Consumer Service URL.	Enter the URL as the Assertion Consumer Service (ACS).

   8. Select either RSA_SHA384 or RSA_SHA256 as the Signing Algorithm.

   9. If you want to require users to log in with their credentials to reconnect to GlobalProtect, select Force Re-authentication.

   10. (Required for MFA) If you want to require multi-factor authentication for your users, select Force MFA.
   11. Click Continue to Next Step to specify the attributes for the users you want to authenticate using PingOne.
   12. Specify the Application Attribute and the associated Identity Bridge Attribute or Literal Value for your user then select Required.

       Be sure to assign the account you're using so you can test the configuration when it's complete. You may need to refresh the page after adding accounts to successfully complete the test.

   13. Click Add new attribute as needed to include additional attributes then Continue to next step to specify the group attributes.
   14. Add the groups you want to authenticate using PingOne or Search for the groups you want to add then Continue to next step to review your configuration.

2. Add PingOne as an authentication type in the Cloud Identity Engine app.

   1. Select Authentication Types and click Add New Authentication Type.

   2. Set Up a SAML 2.0 authentication type.

   3. Enter a Profile Name.

   4. Select PingOne as your Identity Provider Vendor.
3. Select the method you want to use to Add Metadata and Submit the IdP profile.

   • If you want to enter the information manually, copy the identity provider ID and SSO URL, download the certificate, then enter the information in the Cloud Identity Engine IdP profile.
     1. In PingOne, select ApplicationsMy Applications then select the Cloud Identity Engine app.
     2. Copy the necessary information from PingOne and enter it in the IdP profile on the Cloud Identity Engine app as indicated in the following table:

        Copy or Download from Okta Admin Console	Enter in Cloud Identity Engine IdP Profile
        Copy the Issuer ID.	Enter it as the Identity Provider ID.
        Download the Signing Certificate.	Click to Upload the certificate from the Okta Admin Console.
        Copy the Initiate Single Sign-On (SSO) URL.	Enter the URL as the Identity Provider SSO URL.

   • If you want to upload a metadata file, download the metadata file from your IdP management system.
     1. In PingOne, select ApplicationsMy Applications then select the Cloud Identity Engine app.
     2. Download the SAML Metadata.
     3. In the Cloud Identity Engine app, click Browse files to select the metadata file, then Open the metadata file.

   • To use the Get URL method, copy the URL from your IdP and enter it in Cloud Identity Engine.
     1. Log in to Ping One using your administrator credentials.
     2. Select Applications then select the application you created in step 1.c.

     3. Copy the SAML Metadata URL and save it in a secure location.

     4. In the Cloud Identity Engine, select Get URL and the Add Metadata method and paste the URL you copied in the previous step as the Identity Provider Metadata URL.

     5. Click Get URL to confirm the URL and populate the Identity Provider ID and Identity Provider SSO URL.

   • If you don't want to enter the configuration information now, you can Do it later. This option allows you to submit the profile without including configuration information. However, you must edit the profile to include the configuration information to use the authentication type in an authentication profile.
4. Select the HTTP Binding for SSO Request to IdP method you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages:

   • HTTP Redirect—Transmit SAML messages through URL parameters.
   • HTTP Post—Transmit SAML messages using base64-encoded HTML.
5. Specify the Maximum Clock Skew (seconds), which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
6. If your IdP requires users to log in using multi-factor authentication (MFA), select Multi-factor Authentication is Enabled on the Identity Provider.

7. If you enabled the Force Re-authentication option in step 1.9, enable the Force Authentication option to require users to log in with their credentials to reconnect to GlobalProtect.

8. Test SAML setup to verify the profile configuration.

   This step is necessary to confirm that your firewall and IdP can communicate.
9. Select the SAML attributes you want the firewall to use for authentication and Submit the IdP profile.

   1. In the Okta Admin Console, Edit the User Attributes & Claims.
   2. In the Cloud Identity Engine, select the Username Attribute and optionally, the Usergroup Attribute, Access Domain, User Domain, and Admin Role, then Submit your changes.
      You must select the username attribute in the Okta Admin Console for the attribute to display in the Cloud Identity Engine.