GlobalProtect
Single Sign-On (SSO) Using Smart Card Authentication
Table of Contents
Single Sign-On (SSO) Using Smart Card Authentication
Software Support
: Starting with GlobalProtect™
app 6.0 with Content Release version 8451-6911 or later.OS
Support
: Windows 10If you have configured the GlobalProtect
portal to authenticate end users through single sign-on (SSO) using
smart card authentication, end users can now connect without having
to re-enter their smart card Personal Identification Number (PIN)
in the GlobalProtect app for a seamless SSO experience. End users
can leverage the same smart card PIN for GlobalProtect with their
Windows endpoint. This improves the user experience by reducing
the number of times end users must enter their smart card PIN when
they log in. After the end user successfully logs in to the Windows
endpoint, the GlobalProtect app acquires and remembers their smart card
PIN to authenticate with the GlobalProtect portal and gateway.
You
can define the type of PIN caching policy for Windows
that is associated with the PIN for the smart card provider. The
PIN is cached only if allowed from the smart card provider. GlobalProtect
clears the PIN from the cache if end users manually sign out of
the GlobalProtect app, sign out of Windows, or the PIN is changed.
- Set the pre-deployed setting on Windows endpoints to use SSO for smart card authentication.You must set the pre-deployed setting on the end user endpoints before you can enable SSO for smart card PIN. GlobalProtect retrieves this entry only once, when the GlobalProtect app initializes.If theUSESSOPINvalue is set toyesin the pre-deployed setting of the client machine and theUse Single Sign-On for Smart Card PIN (Windows)option is set tonoin the portal configuration, end users will not have the best user experience. TheUse Single Sign-On for Smart Card PIN (Windows)option of the GlobalProtect portal and the pre-deployed setting in the end user machine must have the same value to provide the best user experience.If you set bothUse Single Sign-On (Windows)andUse Single Sign-On for Smart Card PIN (Windows)options toyesin the portal configuration, theUse Single Sign-On for Smart Card PIN (Windows)option takes precedence over theUse Single Sign-On (Windows)option.On Windows endpoints, set theUSESSOPINvalue toyesfrom the Windows Installer (Msiexec) using the following syntax:msiexec.exe /i GlobalProtect64.msi USESSOPIN="yes"
- Assign the certificate profile associated with the smart card to the GlobalProtect portal.
- Configure the gateway to authenticate end users based on a smart card.
Enable the GlobalProtect app so that end users can leverage the same smart card PIN for GlobalProtect with their Windows endpoint.- Select .
- SelectYesto enable the GlobalProtect app to use SSO for smart card PIN.
![]()
ClickOKtwice.Committhe configuration.Log in to the Windows endpoint using the smart card PIN.- ClickSign-in options, and then click thesmart card() button.
![]()
- When prompted, insert the smart card to verify that smart card authentication is successful.
![]()
- Enter the PIN for the smart card, and click the arrow to submit.If smart card authentication is successful, end users can connect to the portal or gateway specified in the configuration without having to re-enter their smart card PIN.
![]()
(Optional) Log in to GlobalProtect using the same smart card PIN.End users can leverage the same smart card PIN that they used to log in to their Windows endpoint.- Launch the GlobalProtect app by clicking the system tray icon. The status panel opens.
- Click the hamburger menu to open theSettingspanel.
- On theSettingspanel,Sign Outto clear your saved user credentials from the GlobalProtect app.
- Reconnect to GlobalProtect with the same smart card PIN.The GlobalProtect app displays a smart card PIN error if the PIN is not valid.
![]()
