Configure PingFederate as an IdP in the Cloud Identity Engine
Prepare the metadata for the Cloud Identity
Engine app in PingFederate.
If you have not already done so, activate the Cloud Identity
Engine app.
In the Cloud Identity Engine app, select
Authentication
SP Metadata
Download SP Metadata
and
Save
the
metadata in a secure location.
Log in to PingFederate and select
System
SP Affiliations
Protocol Metadata
Metadata Export
.
Select
I am the Identity Provider (IdP)
then
click
Next
.
Select information to include in metadata manually
then
click
Next
.
Select the
Signing key
you
want to use then click
Next
.
Ensure that
SAML 2.0
is the
protocol then click
Next
.
Click
Next
as you don't need to define an
attribute contract.
Select the
Signing Certificate
and that
you want to
Include this certificate’s public key certificate
in the <key info> element
.
Select the
Signing Algorithm
you want
to use then click
Next
.
Select the same certificate as the
Encryption certificate
then
click
Next
.
Review the metadata to verify the settings are correct
then
Export
the metadata.
Add PingFederate as an authentication type in the Cloud
Identity Engine app.
Select
Authentication Types
and
click
Add New Authentication Type
.
Set Up
a
SAML 2.0
authentication
type.
Enter a
Profile Name
.
Select
PingFederate
as your
Identity
Provider Vendor
.
Select the method you want to use to
Add Metadata
and
Submit
the
IdP profile.
If you want to enter the information manually, copy
the identity provider ID and SSO URL, download the certificate,
then enter the information in the Cloud Identity Engine IdP profile.
In PingFederate, select
System
OAuth Settings
Protocol Settings
to
copy the
Base URL
and
SAML 2.0
Entity
.
Copy the necessary information from PingFederate and enter it in the IdP profile on the Cloud
Identity Engine app as indicated in the following table:
Copy or Download from
PingFederate
Enter in Cloud Identity Engine
IdP Profile
Copy the
SAML 2.0
Entity
ID.
Enter it as the
Identity Provider
ID
.
Copy the
Base
URL
.
Enter the URL as the
Identity Provider SSO
URL
.
In PingFederate, select
Security
Signing & Decryption Keys & Certificates
to
Export
the certificate
you want to use.
In the Cloud Identity Engine app, click
Browse files
to select the
PingFederate certificate.
Select the
HTTP Binding for SSO Request to IdP
method you want to use for
the SAML binding that allows the firewall and IdP to exchange
request and response messages:
HTTP Redirect
—Transmit SAML
messages through URL parameters.
HTTP Post
—Transmit SAML messages
using base64-encoded HTML.
If you want to upload a metadata file, download the metadata file from your IdP management
system.
Locate the metadata file from the first step.
In the Cloud Identity Engine app, click
Browse
files
to select the metadata file, then
Open
the metadata file.
If you don't want to
enter the configuration information now, you can
Do it
later
. This option allows you to submit the profile
without including configuration information. However, you must edit the
profile to include the configuration information to use the
authentication type in an authentication profile.
The
Cloud Identity Engine does not currently support the
Get
URL
method for PingFederate.
Specify the
Maximum Clock Skew (seconds)
, which is the
allowed difference in seconds between the system times of the IdP and the
firewall at the moment when the firewall validates IdP messages (default is 60;
range is 1–900). If the difference exceeds this value, authentication
fails.
To require users to log in using their credentials to reconnect to
GlobalProtect, enable
Force Authentication
.
Test SAML setup
to verify the
profile configuration.
This step is necessary to confirm that your firewall and IdP can
communicate.
Select the SAML attributes you want the firewall to use
for authentication and