PingFederate

Introduction

This article offers a detailed guide on configuring PingFederate as a SAML 2.0 identity provider

By integrating with PingFederate, Harmony SASE can authenticate users, ensuring a secure and efficient login process.

Steps

1. These are the most important configuration parameters:

• EntityID: urn:auth0:perimeter81:{{WORKSPACE}}-oc for US based platform or urn:auth0:eu-sase-checkpoint:{{WORKSPACE}}-oc for EU based platform

• Assertion Consumer Service URL: https://auth.perimeter81.com/login/callback?connection={{WORKSPACE}}-oc for US based platform or https://auth.eu.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc for EU based platform

• HTTP-Redirect binding for SAML Request

• HTTP-POST binding for SAML Response

Configuring an SP Connection from PingFederate

1. Sign on to your PingFederated account and select Create New from the SP Connections section.
2. Configure the SP Connection.
   • Select the Browser SSO Profiles as the Connection Type.
   • Select Browser SSO as the Connection Options.
3. Configure the connection Parameters (Step 1)

4. Configure Browser SSO.
   • Select SP-Initiated SSO and SP-Initiated SLO in SAML Profiles.
   • Go to the Assertion Creation section and click Configure Assertion.
     Accept all defaults for the next two screens.
5. Go to the IdP Adapter Mapping section. This is where users will be authenticated. Likely, you already have one configured in your PingFederate installation. Select one, or add a new one. Auth0 only requires the NameIdentifier claim. All other attributes will be passed further to the end application.
6. Configure Protocol Settings. Values for Protocol Settings are imported from the metadata file. Next, you will see the Assertion Consumer Service URL and the Sign-Out URLs. Click Next to the Allowable SAML Bindings section.
7. Leave POST and Redirect enabled. Make sure SAML Assertion is always signed.
8. Configure Credentials. On Digital Signature Settings, select your signing certificate and make sure you check the option to include it in the  element.
9. Configure the certificate used to sign incoming requests.
10. Review your settings and set as Active or Inactive.
11. Click Save at the bottom of the screen. You should see the new SP Connection on the Main screen.

Configuring the Connection on Harmony SASE

At this point, you will configure the integration from the Harmony SASE side.

1. Log in to your Harmony SASE Administrator Portal, and navigate to Settings and then Identity Providers.
2. Select + Add Provider.
3. Choose SAML 2.0 Identity Providers.
4. Sign In URL:
   • https://sso.{{Your PingFederate Domain}}.com/idp/SSO.saml2
5. Add your organization domain.
6. Paste the certification from PingFederate.
7. Select Done.

Recommendations

• Always replace placeholders like {{WORKSPACE}} and {{Your PingFederate Domain}} with the actual values during the configuration.
• Ensure that the correct attributes are mapped in PingFederate for accurate user authentication and authorization in Harmony SASE.
• Periodically review your PingFederate configuration settings to ensure they align with any updates or changes made within the Harmony SASE platform

Troubleshooting

If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

Support Contacts

If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at sase.checkpoint.com, or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success