1. Home
    2. Cloud Identity
    3. Cloud Identity Engine Getting Started
    4. Authenticate Users with the Cloud Identity Engine
    5. Configure a SAML 2.0 Authentication Type
    6. Configure PingOne as an IdP in the Cloud Identity Engine

    Configure PingOne as an IdP in the Cloud Identity Engine

    Learn how to configure PingOne as an identity provider in the Cloud Identity Engine for user authentication.
    Configure a profile to configure PingOne as an identity provider (IdP) in the Cloud Identity Engine. After you configure the IdP profile, Configure Cloud Identity Engine Authentication on the Firewall or Panorama.
    1. Enable the Cloud Identity Engine app in PingOne.
      1. If you have not already done so, activate the Cloud Identity Engine app.
      2. In the Cloud Identity Engine app, select
        Authentication
        SP Metadata
        Download SP Metadata
         and
        Save
         the metadata in a secure location.
      3. Log in to PingOne and select
        Applications
        My Applications
        Add Application
        New SAML Application
        .
      4. Enter an
        Application Name
        , an
        Application Description
        , and select the
        Category
         then
        Continue to Next Step
        .
      5. Select
        I have the SAML configuration
         and ensure the
        Protocol Version
         is
        SAML v 2.0
        .
      6. Click
        Select File
         to
        Upload Metadata
      7. Copy the metadata information from the Cloud Identity Engine and enter it in PingOne as described in the following table:
        Copy From Cloud Identity Engine
        Enter in PingOne
        Copy the
        Entity ID
         from the SP Metadata page.
        Enter it as the
        Entity ID
        .
        Copy the
        Assertion Consumer Service URL
        .
        Enter the URL as the
        Assertion Consumer Service (ACS)
        .
      8. Select either
        RSA_SHA384
         or
        RSA_SHA256
         as the
        Signing Algorithm
        .
      9. (Required for MFA) If you want to require multi-factor authentication for your users, select
        Force MFA
        .
      10. Click
        Continue to Next Step
         to specify the attributes for the users you want to authenticate using PingOne.
      11. Specify the
        Application Attribute
         and the associated
        Identity Bridge Attribute or Literal Value
         for your user then select
        Required
        .
        Be sure to assign the account you are using so you can test the configuration when it is complete. You may need to refresh the page after adding accounts to successfully complete the test.
      12. Click
        Add new attribute
         as needed to include additional attributes then
        Continue to next step
         to specify the group attributes.
      13. Add
         the groups you want to authenticate using PingOne or
        Search
         for the groups you want to add then
        Continue to next step
         to review your configuration.
    2. Add PingOne as an authentication type in the Cloud Identity Engine app.
      1. Select
        Authentication Types
         and click
        Add New Authentication Type
        .
      2. Set Up
         a
        SAML 2.0
         authentication type.
      3. Enter a
        Profile Name
        .
      4. Select
        PingOne
         as your
        Identity Provider Vendor
        .
    3. Select the method you want to use to
      Add Metadata
       and
      Submit
       the IdP profile.
      • If you want to enter the information manually, copy the identity provider ID and SSO URL, download the certificate, then enter the information in the Cloud Identity Engine IdP profile.
        1. In PingOne, select
          Applications
          My Applications
           then select the Cloud Identity Engine app.
        2. Copy the necessary information from PingOne and enter it in the IdP profile on the Cloud Identity Engine app as indicated in the following table:
          Copy or Download From Okta Admin Console
          Enter in Cloud Identity Engine IdP Profile
          Copy the
          Issuer
           ID.
          Enter it as the
          Identity Provider ID
          .
          Download
           the
          Signing Certificate
          .
          Click to Upload
           the certificate from the Okta Admin Console.
          Copy the
          Initiate Single Sign-On (SSO) URL
          .
          Enter the URL as the
          Identity Provider SSO URL
          .
        3. Select the
          HTTP Binding for SSO Request to IdP
           method you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages (
          HTTP Redirect
          , which transmits SAML messages through URL parameters or
          HTTP Post
          , which transmits SAML messages using base64-encoded HTML).
        4. Specify the
          Maximum Clock Skew (seconds)
          , which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
      • If you want to upload a metadata file, download the metadata file from your IdP management system.
        1. In PingOne, select
          Applications
          My Applications
           then select the Cloud Identity Engine app.
        2. Download
           the
          SAML Metadata
          .
        3. In the Cloud Identity Engine app,
          Click to Upload
           the metadata file, then
          Open
           the metadata file.
      The Cloud Identity Engine does not currently support the
      Get URL
       method for PingOne.
    4. Test SAML setup
       to verify the profile configuration.
      This step is required to confirm that your firewall and IdP can communicate.
    5. If your IdP is configured to require users to log in using multi-factor authentication (MFA), select
      Multi-factor Authentication is Enabled on the Identity Provider
      .
    6. Select the SAML attributes you want the firewall to use for authentication and
      Submit
       the IdP profile.
      1. In the Okta Admin Console,
        Edit
         the
        User Attributes & Claims
        .
      2. In the Cloud Identity Engine, select the
        Username Attribute
         and optionally, the
        Usergroup Attribute
        ,
        Access Domain
        ,
        User Domain
        , and
        Admin Role
        .
        You must select the username attribute in the Okta Admin Console for the attribute to display in the Cloud Identity Engine.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo