If you have not already done so, activate the Cloud Identity
Engine app.
In the Cloud Identity Engine app, select
Authentication
SP Metadata
Download SP Metadata
and
Save
the
metadata in a secure location.
Log in to PingOne and select
Applications
My Applications
Add Application
New SAML Application
.
Enter an
Application Name
,
an
Application Description
, and select the
Category
then
Continue
to Next Step
.
Select
I have the SAML configuration
and
ensure the
Protocol Version
is
SAML
v 2.0
.
Click
Select File
to
Upload
Metadata
Copy the metadata information from the Cloud Identity Engine
and enter it in PingOne as described in the following table:
Copy from Cloud Identity Engine
Enter in PingOne
Copy the
Entity ID
from
the SP Metadata page.
Enter it as the
Entity ID
.
Copy the
Assertion Consumer Service
URL
.
Enter the URL as the
Assertion Consumer
Service (ACS)
.
Select either
RSA_SHA384
or
RSA_SHA256
as
the
Signing Algorithm
.
If you want to require users to log in with their credentials to
reconnect to GlobalProtect, select
Force
Re-authentication
.
(Required for MFA) If you want to require multi-factor authentication
for your users, select
Force MFA
.
Click
Continue to Next Step
to specify
the attributes for the users you want to authenticate using PingOne.
Specify the
Application Attribute
and
the associated
Identity Bridge Attribute or Literal Value
for
your user then select
Required
.
Be sure to assign the account you're using so you can test the configuration when it's
complete. You may need to refresh the page after adding accounts to
successfully complete the test.
Click
Add new attribute
as
needed to include additional attributes then
Continue
to next step
to specify the group attributes.
Add
the groups you want to
authenticate using PingOne or
Search
for
the groups you want to add then
Continue to next step
to
review your configuration.
Add PingOne as an authentication type in the Cloud Identity Engine
app.
Select
Authentication Types
and
click
Add New Authentication Type
.
Set Up
a
SAML 2.0
authentication
type.
Enter a
Profile Name
.
Select
PingOne
as your
Identity
Provider Vendor
.
Select the method you want to use to
Add Metadata
and
Submit
the
IdP profile.
If you want to enter the information manually, copy
the identity provider ID and SSO URL, download the certificate,
then enter the information in the Cloud Identity Engine IdP profile.
In PingOne, select
Applications
My Applications
then select
the Cloud Identity Engine app.
Copy the necessary information from PingOne and enter it in the IdP profile on the Cloud
Identity Engine app as indicated in the following table:
Copy or Download from Okta
Admin Console
Enter in Cloud Identity Engine
IdP Profile
Copy the
Issuer
ID.
Enter it as the
Identity Provider
ID
.
Download
the
Signing
Certificate
.
Click to
Upload
the certificate from the Okta
Admin Console.
Copy the
Initiate
Single Sign-On (SSO)
URL
.
Enter the URL as the
Identity Provider SSO
URL
.
If you want to upload a metadata file, download the metadata file from your IdP management
system.
In PingOne, select
Applications
My Applications
then select the Cloud Identity Engine app.
Download
the
SAML
Metadata
.
In the Cloud Identity Engine app, click
Browse
files
to select the metadata file, then
Open
the metadata file.
To use the
Get URL
method, copy the URL from your
IdP and enter it in Cloud Identity Engine.
Log in to Ping One using your administrator credentials.
Select
Applications
then select the
application you created in step 1.c.
Copy the
SAML Metadata
URL
and save it in a secure location.
In the Cloud Identity Engine, select
Get
URL
and the
Add Metadata
method and paste the URL you copied in the previous step as the
Identity Provider Metadata URL
.
Click
Get URL
to confirm the URL and
populate the
Identity Provider ID
and
Identity Provider SSO URL
.
If you don't want to
enter the configuration information now, you can
Do it
later
. This option allows you to submit the profile
without including configuration information. However, you must edit the
profile to include the configuration information to use the
authentication type in an authentication profile.
Select the
HTTP Binding for SSO Request to IdP
method
you want to use for the SAML binding that allows the firewall and IdP to
exchange request and response messages:
HTTP Redirect
—Transmit SAML messages through URL
parameters.
HTTP Post
—Transmit SAML messages using
base64-encoded HTML.
Specify the
Maximum Clock Skew (seconds)
, which is the
allowed difference in seconds between the system times of the IdP and the
firewall at the moment when the firewall validates IdP messages (default is 60;
range is 1–900). If the difference exceeds this value, authentication
fails.
If your IdP requires users to log in using multi-factor authentication (MFA),
select
Multi-factor Authentication is Enabled on the Identity
Provider