Configure PingOne as an IdP in the Cloud Identity Engine
Table of Contents
Expand all | Collapse all
- Get Help
Configure PingOne as an IdP in the Cloud Identity Engine
Learn how to configure PingOne as an identity provider
in the Cloud Identity Engine for user authentication.
Configure a profile to configure PingOne as an
identity provider (IdP) in the Cloud Identity Engine. After you
configure the IdP profile, Configure Cloud Identity Engine Authentication on the Firewall or Panorama.
- Enable the Cloud Identity Engine app in PingOne.
- If you have not already done so, activate the Cloud Identity Engine app.
- In the Cloud Identity Engine app, selectandAuthenticationSP MetadataDownload SP MetadataSavethe metadata in a secure location.
- Log in to PingOne and select.ApplicationsMy ApplicationsAdd ApplicationNew SAML Application
- Enter anApplication Name, anApplication Description, and select theCategorythenContinue to Next Step.
- SelectI have the SAML configurationand ensure theProtocol VersionisSAML v 2.0.
- ClickSelect FiletoUpload Metadata
- Copy the metadata information from the Cloud Identity Engine and enter it in PingOne as described in the following table:Copy From Cloud Identity EngineEnter in PingOneCopy theEntity IDfrom the SP Metadata page.Enter it as theEntity ID.Copy theAssertion Consumer Service URL.Enter the URL as theAssertion Consumer Service (ACS).
- Select eitherRSA_SHA384orRSA_SHA256as theSigning Algorithm.
- If you want to require users to log in with their credentials to reconnect to GlobalProtect, selectForce Re-authentication.
- (Required for MFA) If you want to require multi-factor authentication for your users, selectForce MFA.
- ClickContinue to Next Stepto specify the attributes for the users you want to authenticate using PingOne.
- Specify theApplication Attributeand the associatedIdentity Bridge Attribute or Literal Valuefor your user then selectRequired.Be sure to assign the account you are using so you can test the configuration when it is complete. You may need to refresh the page after adding accounts to successfully complete the test.
- ClickAdd new attributeas needed to include additional attributes thenContinue to next stepto specify the group attributes.
- Addthe groups you want to authenticate using PingOne orSearchfor the groups you want to add thenContinue to next stepto review your configuration.
- Add PingOne as an authentication type in the Cloud Identity Engine app.
- SelectAuthentication Typesand clickAdd New Authentication Type.
- Set UpaSAML 2.0authentication type.
- Enter aProfile Name.
- SelectPingOneas yourIdentity Provider Vendor.
- Select the method you want to use toAdd MetadataandSubmitthe IdP profile.
- If you want to enter the information manually, copy the identity provider ID and SSO URL, download the certificate, then enter the information in the Cloud Identity Engine IdP profile.
- In PingOne, selectthen select the Cloud Identity Engine app.ApplicationsMy Applications
- Copy the necessary information from PingOne and enter it in the IdP profile on the Cloud Identity Engine app as indicated in the following table:Copy or Download From Okta Admin ConsoleEnter in Cloud Identity Engine IdP ProfileCopy theIssuerID.Enter it as theIdentity Provider ID.DownloadtheSigning Certificate.Click to Uploadthe certificate from the Okta Admin Console.Copy theInitiate Single Sign-On (SSO) URL.Enter the URL as theIdentity Provider SSO URL.
- Select theHTTP Binding for SSO Request to IdPmethod you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages (HTTP Redirect, which transmits SAML messages through URL parameters orHTTP Post, which transmits SAML messages using base64-encoded HTML).
- Specify theMaximum Clock Skew (seconds), which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
- If you want to upload a metadata file, download the metadata file from your IdP management system.
- In PingOne, selectthen select the Cloud Identity Engine app.ApplicationsMy Applications
- DownloadtheSAML Metadata.
- In the Cloud Identity Engine app,Click to Uploadthe metadata file, thenOpenthe metadata file.
The Cloud Identity Engine does not currently support theGet URLmethod for PingOne. - Test SAML setupto verify the profile configuration.This step is required to confirm that your firewall and IdP can communicate.
- If your IdP is configured to require users to log in using multi-factor authentication (MFA), selectMulti-factor Authentication is Enabled on the Identity Provider.
- If you enabled theForce Re-authenticationoption in Step 1.9, enable theForce Authenticationoption to require users to log in with their credentials to reconnect to GlobalProtect.
- Select the SAML attributes you want the firewall to use for authentication andSubmitthe IdP profile.
- In the Okta Admin Console,EdittheUser Attributes & Claims.
- In the Cloud Identity Engine, select theUsername Attributeand optionally, theUsergroup Attribute,Access Domain,User Domain, andAdmin Role, thenSubmityour changes.You must select the username attribute in the Okta Admin Console for the attribute to display in the Cloud Identity Engine.