Configure Azure as an IdP in the Cloud Identity Engine

1. Download the Cloud Identity Engine integration in the Azure Portal.
1. If you have not already done so,  activate  the Cloud Identity Engine app.
2. Log in to the  Azure Portal  and select  Azure Active Directory .

Make sure you complete all the necessary  steps  in the Azure portal.

If you have more than one directory,  Switch directory  to select the directory you want to use with the Cloud Identity Engine.

3. Select  Enterprise applications  and click  New application .

4. Add from the gallery  then enter  Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service  and  download  the Azure AD single-sign on integration.
5. After the application loads, select  Users and groups , then  Add user/group  to  Assign  them to this application.

Select the users and groups you want to use the Azure IdP in the Cloud Identity Engine for authentication.

Be sure to assign the account you're using so you can test the configuration when it's complete. You may need to refresh the page after adding accounts to successfully complete the test.

6. Select  Single sign-on  then select  SAML .
7. Upload Metadata File  by browsing to the metadata file that you downloaded from the Cloud Identity Engine app and click  Add .
8. After the metadata uploads,  Save  your configuration.
9. (Optional)  Edit  your  User Attributes & Claims  to  Add a new claim  or  Edit  an existing claim.

If you attempt to test the configuration on the Azure Admin Console, a 404 error displays because the test is triggered by the IdP and the Cloud Identity Engine supports authentication requests initiated by the service provider.

2. Configure Azure AD for the Cloud Identity Engine.
1. Select  Single sign-on  then select  SAML .
2. Edit  the  Basic SAML Configuration  settings.
3. Upload metadata file  and select the metadata file you downloaded from the Cloud Identity Engine in the first step.
4. Enter your regional endpoint as the  Sign-on URL  using the following format:  https://<RegionUrl>.paloaltonetworks.com/sp/acs  (where <RegionUrl> is your regional endpoint). For more information on regional endpoints, see  Configure Cloud Identity Engine Authentication on the Firewall or Panorama .
5. Copy  the  App Federation Metadata Url  and save it to a secure location.

At this point in the process, you may see the option to  Test sign-in . If you try to test the single sign-on configuration now, the test won't be successful. You can test your configuration to verify it's correct in step 

9

.

3. Add and assign users who you want to require to use Azure AD for authentication.
1. Select  Azure Active Directory  then select  UsersAll users .
2. Create a  New user  and enter a  Name ,  User name .
3. Select  Show password , copy the password to a secure location, and  Create  the user.
4. In the  Palo Alto Networks Cloud Identity Engine - Cloud Authentication Service  integration in the Azure Portal, select  Users and groups .
5. Add user  then select  Users and groups .
4. Add Azure as an authentication type in the Cloud Identity Engine app.
1. In the Cloud Identity Engine app, select  AuthenticationAuthentication Types  then click  Add New Authentication Type .

2. Set Up  a  SAML 2.0  authentication type.

3. Select the  Metadata Type  you want to use.
• To use the client credential flow, the auth code flow, or SCIM, select  Single service provider metadata .
• To  Configure Dynamic Privilege Access in the Cloud Identity Engine , select  Dynamic service provider metadata .

4. Copy the  Entity ID  and  Assertion Consumer Service URL  and save them in a secure location.

5. Download SP Certificate  and  Download SP Metadata  and save them in a secure location.

6. Enter a unique and descriptive  Profile Name .

7. Select  Azure  as your  Identity Provider Vendor .

5. Select the method you want to use to  Add Metadata .

• If you want to enter the information manually, copy the identity provider ID and SSO URL, download the certificate, then enter the information in the Cloud Identity Engine IdP profile.

1.                   Copy the necessary information from the Azure Portal and enter it in the IdP profile on the Cloud Identity Engine app as indicated in the following table:

Copy or Download from Azure Portal	Enter in Cloud Identity Engine IdP Profile
Copy the  Azure AD Identifier .	Enter it as the  Identity Provider ID .
Download  the  Certificate (Base64) .	Click  Browse files  to select the  Identity Provider Certificate  you downloaded from the Azure Portal.
Copy the  Login URL .	Enter the URL as the  Identity Provider SSO URL .

2.                  

3.                   (Optional) Select the  HTTP Binding for SSO Request to Identity Provider (Optional)  method you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages:

• HTTP Redirect —Transmit SAML messages through URL parameters.
• HTTP Post —Transmit SAML messages using base64-encoded HTML.

• If you want to upload a metadata file, download the metadata file from your IdP management system.

1.                   In the Azure Portal,  Download  the  Federation Metadata XML  and  Save  it to a secure location.

2.                   In the Cloud Identity Engine app, click  Browse files  to select the metadata file, then  Open  the metadata file.

• If you want to use a URL to retrieve the metadata, copy the  App Federation Metadata Url , then paste it in the profile as the  Identity Provider Metadata URL  and click  Get URL  to obtain the metadata.

Palo Alto Networks recommends using this method to configure Azure as an IdP.

• If you don't want to enter the configuration information now, you can  Do it later . This option allows you to submit the profile without including configuration information. However, you must edit the profile to include the configuration information to use the authentication type in an authentication profile.

6. Specify the  Maximum Clock Skew (seconds) , which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.

7. Select  Multi-factor Authentication is Enabled on the Identity Provider  if your Azure configuration uses multi-factor authentication (MFA).

8. To require users to log in using their credentials to reconnect to GlobalProtect, enable  Force Authentication .

9. Click  Test SAML setup  to verify the profile configuration.

This step is necessary to confirm that your firewall and IdP can communicate.

If you do not provide the vendor information, the SAML test passes so that you can still submit the configuration.

10. Select the SAML attributes you want the firewall to use for authentication and  Submit  the IdP profile.
1. In the Azure Portal,  Edit  the  User Attributes & Claims .
2. (Optional) In the Cloud Identity Engine app, enter the  Username Attribute ,  Usergroup Attribute ,  Access Domain ,  User Domain , and  Admin Role .
3. Submit the profile.

11. If you want to  Enable Dynamic Privilege Access , ensure completion of the prerequisites before enabling this option, then  Submit  your changes to confirm the configuration.

For more information, refer to  Configure Dynamic Privilege Access in the Cloud Identity Engine .

Configure Okta as an IdP in the Cloud Identity Engine

If you want to use Okta to authenticate users with the Cloud Identity Engine, there are two ways to configure Okta authentication with the Cloud Identity Engine:

• Integrate Okta as a Gallery Application

  Recommended

• Integrate Okta as a Custom Application

1. Select the method you want to use to integrate the Okta authentication in the Cloud Identity Engine and complete the steps in the Okta management console.
• Integrate Okta as a Gallery Application

  Recommended

• Integrate Okta as a Custom Application
1. Set up the Okta authentication in the Cloud Identity Engine.

1.                   If you have not already done so,  activate  the Cloud Identity Engine app.

2.                   In the Cloud Identity Engine app, select  AuthenticationSP MetadataDownload SP Metadata  and  Save  the metadata in a secure location.

3. Add Okta as an authentication type in the Cloud Identity Engine app.

1.                   Select  Authentication Types  and click  Add New Authentication Type .

2.                   Set Up  a  SAML 2.0  authentication type.

3.                   Enter a  Profile Name .

4.                   Select  Okta  as your  Identity Provider Vendor .

4. Select the method you want to use to  Add Metadata  and  Submit  the IdP profile.
• If you want to enter the information manually, copy the identity provider ID and SSO URL, download the certificate, then enter the information in the Cloud Identity Engine IdP profile.
1. In the Okta Admin Console, click  Identity Provider metadata .

2. Copy the necessary information from the Okta Admin Console and enter it in the IdP profile on the Cloud Identity Engine app as indicated in the following table:

Copy or Download from Okta Admin Console	Enter in Cloud Identity Engine
Copy the  Identity Provider Issuer .	Enter it as the  Identity Provider ID .
Download  the  X.509 Certificate .	Click to Upload  the certificate from the Okta Admin Console.
Copy the  Identity Provider Single Sign-On URL .	Enter the URL as the  Identity Provider SSO URL .

3. 
4. Select the  HTTP Binding for SSO Request to IdP  method you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages:
• HTTP Redirect —Transmit SAML messages through URL parameters.
• HTTP Post —Transmit SAML messages using base64-encoded HTML.
• If you want to upload a metadata file, download the metadata file from your IdP management system.
1. In the Okta Admin Console, click  View Setup Info  and copy the  IDP metadata  and save it to a secure location.
2. In the Cloud Identity Engine app, click  Browse Files  to select the metadata file then  Open  the metadata file.

• If you want to use a URL to retrieve the metadata, copy the  IDP metadata  from step 

4.2

. Paste it in the profile and click  Get URL  to obtain the metadata.

#id4126bb2e-0974-45b8-81da-c13f5db29908_li_l5n_bz5_3xb

• If you don't want to enter the configuration information now, you can  Do it later . This option allows you to submit the profile without including configuration information. However, you must edit the profile to include the configuration information to use the authentication type in an authentication profile.

5. Specify the  Maximum Clock Skew (seconds) , which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
6. To require users to log in using their credentials to reconnect to GlobalProtect, enable  Force Authentication .

7. Test SAML setup  to verify the profile configuration.

This step is necessary to confirm that your firewall and IdP can communicate.

8. Select the SAML attributes you want the firewall to use for authentication and  Submit  the IdP profile.

You must select the username attribute in the Okta Admin Console for the attribute to display in the Cloud Identity Engine.

1.                   In the Okta Admin Console,  Edit  the  User Attributes & Claims .

2.                   In the Cloud Identity Engine app, select the  Username Attribute  and optionally, the  Usergroup Attribute ,  Access Domain ,  User Domain , and  Admin Role .

If you're using the Cloud Identity Engine for SAML authentication with GlobalProtect Clientless VPN, you must configure the  User Domain  attribute to the same value as the  userdomain  field in the Okta Admin Console ( ApplicationsApplicationsSAML 2.0General ).

Integrate Okta as a Gallery Application

Palo Alto Networks strongly recommends that you integrate Okta in the Cloud Identity Engine as a gallery application. Complete the following steps to add and configure the Okta gallery application in the Cloud Identity Engine. Be sure to complete all the steps here and in the  Okta documentation .

1. Log in to the Okta Admin Console and select  ApplicationsApplications .

2. Click  Browse App Catalog .

3. Search for and select  Palo Alto Networks Cloud Identity Engine .

4. Click  Add Integration .

5. Optionally edit the application name then click  Next .

6. Verify that  SAML 2.0  is the sign-on option type.

7. If you enabled  Force Authentication in step 

6

, select  Applications , select the app you created, select  Sign-On ,  Edit  the  Settings , and uncheck  Disable Force Authentication .

8. Edit and paste the  SAML Region .

The SAML Region is based on the Entity ID in the SP Metadata. To obtain the SAML Region, enter only the text between the backslash in the Entity ID and the  paloaltonetworks.com  domain. For example, if the Entity ID is  https://cloud-auth.us.apps.paloaltonetworks.com/sp , the SAML Region is  cloud- auth.us.apps .

9. Select the  Application username format  that you want to use to authenticate the user. For example,  Email  represents the UserPrincipalName (UPN) format.

10. Click  Done .

11. (Optional) If you want to configure other attributes in addition to the username, refer to the  Okta documentation .

Integrate Okta as a Custom Application

Palo Alto Networks strongly recommends that you 

Integrate Okta as a Gallery Application

. However, if you want to configure the Okta integration as a custom application, complete the following steps.

1. Log in to the Okta Admin Console and select  ApplicationsApplications .

2. Click  Create App Integration .

3. Verify that  SAML 2.0  is the sign-on method then click  Next .

4. Enter an  App name  then click   Next .

5. Copy the  SP Metadata  information from the Cloud Identity Engine and enter it in the Okta Admin Console as described in the following table:

Copy from Cloud Identity Engine	Enter in Okta Admin Console
Copy the  Entity ID  from the SP Metadata page.	Enter it as the  Audience URI (SP Entity ID) .
Copy the  Assertion Consumer Service URL .	Enter the URL as the  Single sign on URL .

6. 
7. ( Required for custom app ) Select a  Value  for the user attributes ( Attribute Statements ( optional) ) and optionally enter a  Filter  for the group attributes ( Group Attribute Statements (optional) ) to specify the attribute formats.

You must configure at least one SAML attribute that contains identification information for the user (usually the username attribute) for the attributes to display in the Cloud Identity Engine. To configure administrator access, you must also enter values for the  accessdomain  attribute and for the  adminrole  attribute that match the values on the firewall.

8. Click  Next , specify whether you're a customer or partner, then click  Finish .
9. Click  Add Rule  to define a  Sign On Policy  that specifies which users and groups must authenticate with the Okta IdP using the Cloud Identity Engine.
10. Select  Assignments  and  Assign  the users and groups that you require to authenticate using the Cloud Identity Engine.  Save and Go Back  to assign more users or groups.

Be sure to assign the account you're using so you can test the configuration when it's complete. You may need to refresh the page after adding accounts to successfully complete the test.

11. Select  Sign On  and  View Setup Instructions .
12. Select the SAML attributes you want the firewall to use for authentication.

Configure PingOne as an IdP in the Cloud Identity Engine

Configure a profile to configure PingOne as an identity provider (IdP) in the Cloud Identity Engine. After you configure the IdP profile,  Configure Cloud Identity Engine Authentication on the Firewall or Panorama .

1. Enable the Cloud Identity Engine app in PingOne .
1. If you have not already done so,  activate  the Cloud Identity Engine app.
2. In the Cloud Identity Engine app, select  AuthenticationSP MetadataDownload SP Metadata  and  Save  the metadata in a secure location.

3. Log in to PingOne and select  ApplicationsMy ApplicationsAdd ApplicationNew SAML Application .

4. Enter an  Application Name , an  Application Description , and select the  Category  then  Continue to Next Step .
5. Select  I have the SAML configuration  and ensure the  Protocol Version  is  SAML v 2.0 .

6. Click  Select File  to  Upload Metadata

7. Copy the metadata information from the Cloud Identity Engine and enter it in PingOne as described in the following table:

Copy from Cloud Identity Engine	Enter in PingOne
Copy the  Entity ID  from the SP Metadata page.	Enter it as the  Entity ID .
Copy the  Assertion Consumer Service URL .	Enter the URL as the  Assertion Consumer Service (ACS) .

8. 
9. Select either  RSA_SHA384  or  RSA_SHA256  as the  Signing Algorithm .

10. If you want to require users to log in with their credentials to reconnect to GlobalProtect, select  Force Re-authentication .

11. (Required for MFA) If you want to require multi-factor authentication for your users, select  Force MFA .
12. Click  Continue to Next Step  to specify the attributes for the users you want to authenticate using PingOne .
13. Specify the  Application Attribute  and the associated  Identity Bridge Attribute or Literal Value  for your user then select  Required .

Be sure to assign the account you're using so you can test the configuration when it's complete. You may need to refresh the page after adding accounts to successfully complete the test.

14. Click  Add new attribute  as needed to include additional attributes then  Continue to next step  to specify the group attributes.
15. Add  the groups you want to authenticate using PingOne or  Search  for the groups you want to add then  Continue to next step  to review your configuration.

2. Add PingOne as an authentication type in the Cloud Identity Engine app.
1. Select  Authentication Types  and click  Add New Authentication Type .

2. Set Up  a  SAML 2.0  authentication type.

3. Enter a  Profile Name .

4. Select  PingOne  as your  Identity Provider Vendor .
2. Select the method you want to use to  Add Metadata  and  Submit  the IdP profile.

• If you want to enter the information manually, copy the identity provider ID and SSO URL, download the certificate, then enter the information in the Cloud Identity Engine IdP profile.
1. In PingOne , select  ApplicationsMy Applications  then select the Cloud Identity Engine app.
2. Copy the necessary information from PingOne and enter it in the IdP profile on the Cloud Identity Engine app as indicated in the following table:

Copy or Download from Okta Admin Console	Enter in Cloud Identity Engine IdP Profile
Copy the  Issuer  ID.	Enter it as the  Identity Provider ID .
Download  the  Signing Certificate .	Click to Upload  the certificate from the Okta Admin Console.
Copy the  Initiate Single Sign-On (SSO) URL .	Enter the URL as the  Identity Provider SSO URL .

3. 
• If you want to upload a metadata file, download the metadata file from your IdP management system.
1. In PingOne , select  ApplicationsMy Applications  then select the Cloud Identity Engine app.
2. Download   the  SAML Metadata .
3. In the Cloud Identity Engine app, click  Browse files  to select the metadata file, then  Open  the metadata file.

• To use the  Get URL  method, copy the URL from your IdP and enter it in Cloud Identity Engine.
1. Log in to Ping One using your administrator credentials.
2. Select  Applications  then select the application you created in step 

1.c

.

3. Copy the  SAML Metadata URL  and save it in a secure location.

4. In the Cloud Identity Engine, select  Get URL  and the  Add Metadata  method and paste the URL you copied in the previous step as the  Identity Provider Metadata URL .

5. Click  Get URL  to confirm the URL and populate the  Identity Provider ID  and  Identity Provider SSO URL .

• If you don't want to enter the configuration information now, you can  Do it later . This option allows you to submit the profile without including configuration information. However, you must edit the profile to include the configuration information to use the authentication type in an authentication profile.

4. Select the  HTTP Binding for SSO Request to IdP  method you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages:

• HTTP Redirect —Transmit SAML messages through URL parameters.
• HTTP Post —Transmit SAML messages using base64-encoded HTML.

5. Specify the  Maximum Clock Skew (seconds) , which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
6. If your IdP requires users to log in using multi-factor authentication (MFA), select   Multi-factor Authentication is Enabled on the Identity Provider .

7. If you enabled the  Force Re-authentication  option in step 

1.9

, enable the  Force Authentication  option to require users to log in with their credentials to reconnect to GlobalProtect.

8. Test SAML setup  to verify the profile configuration.

This step is necessary to confirm that your firewall and IdP can communicate.

9. Select the SAML attributes you want the firewall to use for authentication and  Submit  the IdP profile.
1. In the Okta Admin Console,  Edit  the  User Attributes & Claims .
2. In the Cloud Identity Engine, select the  Username Attribute  and optionally, the  Usergroup Attribute ,  Access Domain ,  User Domain , and  Admin Role , then  Submit  your changes.

You must select the username attribute in the Okta Admin Console for the attribute to display in the Cloud Identity Engine.

10. 

Configure PingFederate as an IdP in the Cloud Identity Engine

1. Prepare the metadata for the Cloud Identity Engine app in PingFederate.
1. If you have not already done so,  activate  the Cloud Identity Engine app.
2. In the Cloud Identity Engine app, select  AuthenticationSP MetadataDownload SP Metadata  and  Save  the metadata in a secure location.

3. Log in to PingFederate and select  SystemSP AffiliationsProtocol MetadataMetadata Export .
4. Select  I am the Identity Provider (IdP)  then click  Next .

5. Select information to include in metadata manually  then click  Next .

6. Select the  Signing key  you want to use then click  Next .
7. Ensure that  SAML 2.0  is the protocol then click  Next .
8. Click  Next  as you don't need to define an attribute contract.
9. Select the  Signing Certificate  and that you want to  Include this certificate’s public key certificate in the <key info> element .

10. Select the  Signing Algorithm  you want to use then click  Next .
11. Select the same certificate as the  Encryption certificate  then click  Next .
12. Review the metadata to verify the settings are correct then  Export  the metadata.

2. Add PingFederate as an authentication type in the Cloud Identity Engine app.
1. Select  Authentication Types  and click  Add New Authentication Type .

2. Set Up  a  SAML 2.0  authentication type.

3. Enter a  Profile Name .

4. Select  PingFederate  as your  Identity Provider Vendor .
2. Select the method you want to use to  Add Metadata  and  Submit  the IdP profile.

• If you want to enter the information manually, copy the identity provider ID and SSO URL, download the certificate, then enter the information in the Cloud Identity Engine IdP profile.
1. In PingFederate, select  SystemOAuth SettingsProtocol Settings  to copy the  Base URL  and  SAML 2.0 Entity .
2. Copy the necessary information from PingFederate and enter it in the IdP profile on the Cloud Identity Engine app as indicated in the following table:

Copy or Download from PingFederate	Enter in Cloud Identity Engine IdP Profile
Copy the  SAML 2.0 Entity  ID.	Enter it as the  Identity Provider ID .
Copy the  Base URL .	Enter the URL as the  Identity Provider SSO URL .

3. 
4. In PingFederate, select  SecuritySigning & Decryption Keys & Certificates  to  Export  the certificate you want to use.
5. In the Cloud Identity Engine app, click  Browse files  to select the PingFederate certificate.
6. Select the  HTTP Binding for SSO Request to IdP  method you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages:
• HTTP Redirect —Transmit SAML messages through URL parameters.
• HTTP Post —Transmit SAML messages using base64-encoded HTML.
• If you want to upload a metadata file, download the metadata file from your IdP management system.
1. Locate the metadata file from the first step.
2. In the Cloud Identity Engine app, click  Browse files  to select the metadata file, then  Open  the metadata file.

• If you don't want to enter the configuration information now, you can  Do it later . This option allows you to submit the profile without including configuration information. However, you must edit the profile to include the configuration information to use the authentication type in an authentication profile.

4. The Cloud Identity Engine does not currently support the  Get URL  method for PingFederate.
5. Specify the  Maximum Clock Skew (seconds) , which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
6. To require users to log in using their credentials to reconnect to GlobalProtect, enable  Force Authentication .

7. Test SAML setup  to verify the profile configuration.

This step is necessary to confirm that your firewall and IdP can communicate.

8. Select the SAML attributes you want the firewall to use for authentication and  Submit  the IdP profile.
1. In the Cloud Identity Engine, select the  Username Attribute .
2. (Optional) Select the  Usergroup Attribute ,  Access Domain ,  User Domain , and  Admin Role .

Configure Google as an IdP in the Cloud Identity Engine

If you use Google to authenticate users, you can configure your Google IdP as an authentication type in the Cloud Identity Engine.

The Cloud Identity Engine does not support the ForceAuthn attribute for Google as an IdP.

1. Prepare to configure Google as an IdP in the Cloud Identity Engine.
1. If you have not already done so,  activate  the Cloud Identity Engine app.
2. In the Cloud Identity Engine app, select  AuthenticationSP MetadataDownload SP Metadata  and  Save  the metadata in a secure location.

3. Log in to the Google Admin Console and select  AppsSAML Apps .

4. Select  Add AppAdd custom SAML app .

5. Enter an  App name  then  Continue  to the next step.
6. Click  Download Metadata  to  Download IdP metadata  then  Continue  to the next step.

7. Copy the metadata information from the Cloud Identity Engine and enter it in the Google Admin Console as described in the following table then  Continue  to the next step:

Copy from Cloud Identity Engine	Enter in Google Admin Console
Copy the  Entity ID  from the SP Metadata page.	Enter it as the  Entity ID .
Copy the  Assertion Consumer Service URL .	Enter the URL as the  ACS URL .

8. Add mapping  to select the  Google Directory attributes  then specify the corresponding  App attributes . Repeat for each attribute you want to use then click  Finish  when the changes are complete.

9. View details  to specify the users and groups you want to authenticate with Google and enable the app to turn it  ON for everyone  then  Save  your changes.

10. Select  DirectoryUsers  to specify the users you want to authenticate using Google.

2. Add Google as an authentication type in the Cloud Identity Engine app.
1. Select  Authentication Types  and click  Add New Authentication Type .

2. Set Up  a  SAML 2.0  authentication type.

3. Enter a  Profile Name .

4. Select  Google  as your  Identity Provider Vendor .
2. Select the method you want to use to  Add Metadata  and  Submit  the profile.

• If you want to enter the information manually, copy the identity provider ID and SSO URL, download the certificate, then enter the information in the Cloud Identity Engine.
1. In the Google Admin Console, select the Cloud Identity Engine app and  Download Metadata .

2. Click  Download Metadata  then copy the necessary information from Google and enter it in the Cloud Identity Engine app as indicated in the following table:

Copy or Download from Google Admin Console	Enter in Cloud Identity Engine IdP Profile
Copy the  Entity ID .	Enter it as the  Identity Provider ID .
Download  the  Certificate .	Click to Upload  the certificate from Google.
Copy the  SSO URL .	Enter the URL as the  Identity Provider SSO URL .

3. 
• If you want to upload a metadata file, download the metadata file from your IdP management system.
1. In the Google Admin Console, select the Cloud Identity Engine app and  Download Metadata .
2. Click  Download Metadata  and  Save  the file to a secure location.
3. In the Cloud Identity Engine app, select  Upload Metadata  then click  Browse files  to select the metadata file then  Open  the metadata file.

• To use the  Get URL  method, copy the URL from your IdP and enter it in Cloud Identity Engine.
1. Log in to the Google portal using your administrator credentials.
2. Select  AppsWeb and mobile apps .

3. Select the Google app you created in step 

1.d

.

4. Click  Download Metadata .

5. Copy the  SSO URL  and store it in a secure location.

6. In the Cloud Identity Engine, select  Get URL  and paste the URL as the  Identity Provider Metadata URL .

7. Click  Get URL  to confirm the URL and populate the  Identity Provider ID  and  Identity Provider SSO URL .

• If you don't want to enter the configuration information now, you can  Do it later . This option allows you to submit the profile without including configuration information. However, you must edit the profile to include the configuration information to use the authentication type in an authentication profile.

4. Select the  HTTP Binding for SSO Request to IdP  method you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages:

• HTTP Redirect —Transmit SAML messages through URL parameters.
• HTTP Post —Transmit SAML messages using base64-encoded HTML.

5. Specify the  Maximum Clock Skew (seconds) , which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
6. To require users to log in using their credentials to reconnect to GlobalProtect, enable  Force Authentication .

7. Test SAML setup  to verify the profile configuration.

This step is necessary to confirm that your firewall and IdP can communicate.

8. Select the SAML attributes you want the firewall to use for authentication and  Submit  the IdP profile.

Select the  Username Attribute  and optionally, the  Usergroup Attribute ,  Access Domain ,  User Domain , and  Admin Role .

Configure a SAML 2.0-Compliant IdP in the Cloud Identity Engine

To use a SAML 2.0-compliant identity provider (IdP) that is not listed as an  Identity Provider Vendor , you can configure the IdP using the  Others

1. Obtain the information from your SAML 2.0- compliant IdP that you need to configure in the Cloud Identity Engine.
1. Copy the following information from your IdP:
• Identity Provider ID
• Identity Provider Certificate
• Identity Provider SSO URL
2. In the Cloud Identity Engine app, select  AuthenticationSP MetadataDownload SP Metadata  and  Save  the metadata in a secure location.

2. Configure the IdP in the Cloud Identity Engine.
1. Select  Authentication Types  and click  Add New Authentication Type .

2. Set Up  a  SAML 2.0  authentication type.

3. Enter a  Profile Name .

4. Select  Others  as your  Identity Provider Vendor .
2. Select the method you want to use to  Add Metadata .

• If you want to enter the information manually, obtain the necessary information from your IdP then enter the information in the Cloud Identity Engine.

1.                   Copy or download the following information from your IdP and enter it in the Cloud Identity Engine app:

• Identity Provider ID
• Identity Provider Certificate
• Identity Provider SSO URL

2.                   Select the  HTTP Binding for SSO Request to IdP  method you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages:

• HTTP Redirect —Transmit SAML messages through URL parameters.
• HTTP Post —Transmit SAML messages using base64-encoded HTML.

• If you want to upload a metadata file, download the metadata file from your IdP management system.

1.                   Download the metadata from your IdP.

2.                   In the Cloud Identity Engine app, click  Browse files  to select the metadata file then  Open  the metadata file.

• If you want to use a URL to retrieve the metadata, copy the URL from your IdP. Enter it as the  Identity Provider Metadata URL  in the Cloud Identity Engine and click  Get URL  to obtain the metadata.
• If you don't want to enter the configuration information now, you can  Do it later . This option allows you to submit the profile without including configuration information. However, you must edit the profile to include the configuration information to use the authentication type in an authentication profile.

4. Specify the  Maximum Clock Skew (seconds) , which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
5. To require users to log in using their credentials to reconnect to GlobalProtect, enable  Force Authentication .
6. Test SAML setup  to verify the profile configuration.

This step is necessary to confirm that your firewall and IdP can communicate.

7. Select the SAML attributes you want the firewall to use for authentication and  Submit  the IdP profile.
1. In the IdP, edit as necessary the attributes you want to use to authenticate users.
2. In the Cloud Identity Engine app, select the  Username Attribute  and optionally, the  Usergroup Attribute ,  Access Domain ,  User Domain , and  Admin Role .

Configure a Client Certificate

To use a client certificate to authenticate users, configure a certificate authority (CA) and client certificate.

1. Configure a Certificate Authority (CA) chain to authenticate users.

Upload the CA chain, including the root certificate and any intermediate certificates, that issues the client certificate. The Cloud Identity Engine supports multiple intermediate certificates but does not support sibling intermediate certificates in a single CA chain.

1. In the Cloud Identity Engine app, select  AuthenticationCA ChainsAdd CA Chain .

2. Enter the necessary information for the CA chain profile.

• CA Name —Enter a unique name to identify the CA chain in the Cloud Identity Engine tenant.
• Upload Certificate — Drag and drop file(s) here  or  Browse files  to your CA certificate then  Open  the certificate to select it.

The file must end in the  . crt  or  . pem  file extension.

• Certificate Revocation List Endpoint (Optional) —( Optional but recommended) Specify the URL for the certificate revocation list (CRL) list that you want the Cloud Identity Engine to use to validate the client certificate.
2. Submit  the changes to complete the configuration.
1. In the Cloud Identity Engine app, select  AuthenticationAuthentication TypesAdd New Authentication Type .

3. Select  Client CertificateSet Up .

4. Enter a unique  Authentication Type Name  for the client certificate.
5. Select the  Username Field  that you want the Cloud Identity Engine to use to authenticate users.

Select the  Username Field  based on the attribute type of the client certificate that you want to use to authenticate the user; for example, if the username is defined in the client certificate using  Subject , select  Subject .

6. Configure the  Username Attribute  based on the previous step and the attribute that your client certificate uses to authenticate users.

• If the Username Field is  Subject , the Username Attribute is  CN .
• If the Username Field is  Subject Alt Name , select  Email  or  User Principal Name  based on the attribute that your client certificate specifies.

7. Click  Add CA Chain  to add one or more CA chains to authenticate users.

8. Enter a search term in the  Search CA Chain  field or select a CA chain you previously configured and  Add  it to the configuration.

The Cloud Identity Engine supports grouping multiple CA chains in a certificate type to authenticate client certificates issued by multiple CA chains.

9. Submit  your changes to configure the authentication type.