Configure PingOne as an IdP in the Cloud Identity Engine

Enable the Cloud Identity Engine app in PingOne.

If you have not already done so, activate the Cloud Identity Engine app.

In the Cloud Identity Engine app, select

Authentication

SP Metadata

Download SP Metadata

and

Save

the metadata in a secure location.



Log in to PingOne and select

Applications

My Applications

Add Application

New SAML Application

.



Enter an

Application Name

, an

Application Description

, and select the

Category

then

Continue to Next Step

.

Select

I have the SAML configuration

and ensure the

Protocol Version

is

SAML v 2.0

.



Click

Select File

to

Upload Metadata



Copy the metadata information from the Cloud Identity Engine and enter it in PingOne as described in the following table:

Copy From Cloud Identity Engine	Enter in PingOne
Copy the Entity ID from the SP Metadata page.	Enter it as the Entity ID .
Copy the Assertion Consumer Service URL .	Enter the URL as the Assertion Consumer Service (ACS) .



Select either

RSA_SHA384

or

RSA_SHA256

as the

Signing Algorithm

.



If you want to require users to log in with their credentials to reconnect to GlobalProtect, select

Force Re-authentication

.



(Required for MFA) If you want to require multi-factor authentication for your users, select

Force MFA

.

Click

Continue to Next Step

to specify the attributes for the users you want to authenticate using PingOne.

Specify the

Application Attribute

and the associated

Identity Bridge Attribute or Literal Value

for your user then select

Required

.

Be sure to assign the account you are using so you can test the configuration when it is complete. You may need to refresh the page after adding accounts to successfully complete the test.



Click

Add new attribute

as needed to include additional attributes then

Continue to next step

to specify the group attributes.

Add

the groups you want to authenticate using PingOne or

Search

for the groups you want to add then

Continue to next step

to review your configuration.



Add PingOne as an authentication type in the Cloud Identity Engine app.

Select
Authentication Types
and click
Add New Authentication Type
.

Set Up
a
SAML 2.0
authentication type.

Enter a
Profile Name
.

Select
PingOne
as your
Identity Provider Vendor
.

Select the method you want to use to

Add Metadata

and

Submit

the IdP profile.

If you want to enter the information manually, copy the identity provider ID and SSO URL, download the certificate, then enter the information in the Cloud Identity Engine IdP profile.
In PingOne, select
Applications
My Applications
then select the Cloud Identity Engine app.
Copy the necessary information from PingOne and enter it in the IdP profile on the Cloud Identity Engine app as indicated in the following table:
Copy or Download From Okta Admin Console	Enter in Cloud Identity Engine IdP Profile
Copy the Issuer ID.	Enter it as the Identity Provider ID .
Download the Signing Certificate .	Click to Upload the certificate from the Okta Admin Console.
Copy the Initiate Single Sign-On (SSO) URL .	Enter the URL as the Identity Provider SSO URL .
Select the
HTTP Binding for SSO Request to IdP
method you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages (
HTTP Redirect
, which transmits SAML messages through URL parameters or
HTTP Post
, which transmits SAML messages using base64-encoded HTML).
Specify the
Maximum Clock Skew (seconds)
, which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
If you want to upload a metadata file, download the metadata file from your IdP management system.
In PingOne, select
Applications
My Applications
then select the Cloud Identity Engine app.
Download
the
SAML Metadata
.
In the Cloud Identity Engine app,
Click to Upload
the metadata file, then
Open
the metadata file.

The Cloud Identity Engine does not currently support the

Get URL

method for PingOne.

Test SAML setup

to verify the profile configuration.



This step is required to confirm that your firewall and IdP can communicate.

If your IdP is configured to require users to log in using multi-factor authentication (MFA), select

Multi-factor Authentication is Enabled on the Identity Provider

.



If you enabled the

Force Re-authentication

option in Step 1.9, enable the

Force Authentication

option to require users to log in with their credentials to reconnect to GlobalProtect.



Select the SAML attributes you want the firewall to use for authentication and

Submit

the IdP profile.

In the Okta Admin Console,
Edit
the
User Attributes & Claims
.
In the Cloud Identity Engine, select the
Username Attribute
and optionally, the
Usergroup Attribute
,
Access Domain
,
User Domain
, and
Admin Role
, then
Submit
your changes.
You must select the username attribute in the Okta Admin Console for the attribute to display in the Cloud Identity Engine.