Single Sign-On (SSO) Using Smart Card Authentication
Software Support: Starting with GlobalProtect™ app 6.0 with Content Release version 8451-6911 or later.
OS Support: Windows 10
If you have configured the GlobalProtect portal to authenticate end users through single sign-on (SSO) using smart card authentication, end users can now connect without having to re-enter their smart card Personal Identification Number (PIN) in the GlobalProtect app for a seamless SSO experience. End users can leverage the same smart card PIN for GlobalProtect with their Windows endpoint. This improves the user experience by reducing the number of times end users must enter their smart card PIN when they log in. After the end user successfully logs in to the Windows endpoint, the GlobalProtect app acquires and remembers their smart card PIN to authenticate with the GlobalProtect portal and gateway.
You can define the type of PIN caching policy for Windows that is associated with the PIN for the smart card provider. The PIN is cached only if allowed from the smart card provider. GlobalProtect clears the PIN from the cache if end users manually sign out of the GlobalProtect app, sign out of Windows, or the PIN is changed.
- Set the pre-deployed setting on Windows endpoints to use SSO for smart card authentication.You must set the pre-deployed setting on the end user endpoints before you can enable SSO for smart card PIN. GlobalProtect retrieves this entry only once, when the GlobalProtect app initializes.If theUSESSOPINvalue is set toyesin the pre-deployed setting of the client machine and theUse Single Sign-On for Smart Card PIN (Windows)option is set tonoin the portal configuration, end users will not have the best user experience. TheUse Single Sign-On for Smart Card PIN (Windows)option of the GlobalProtect portal and the pre-deployed setting in the end user machine must have the same value to provide the best user experience.If you set bothUse Single Sign-On (Windows)andUse Single Sign-On for Smart Card PIN (Windows)options toyesin the portal configuration, theUse Single Sign-On for Smart Card PIN (Windows)option takes precedence over theUse Single Sign-On (Windows)option.On Windows endpoints, set theUSESSOPINvalue toyesfrom the Windows Installer (Msiexec) using the following syntax:msiexec.exe /i GlobalProtect64.msi USESSOPIN="yes"Enable the GlobalProtect app so that end users can leverage the same smart card PIN for GlobalProtect with their Windows endpoint.
ClickOKtwice.Committhe configuration.Log in to the Windows endpoint using the smart card PIN.
- Select.NetworkGlobalProtectPortals<portal-config>Agent<agent-config>AppUse Single Sign-On for Smart Card PIN (Windows)
- SelectYesto enable the GlobalProtect app to use SSO for smart card PIN.
(Optional) Log in to GlobalProtect using the same smart card PIN.End users can leverage the same smart card PIN that they used to log in to their Windows endpoint.
- ClickSign-in options, and then click thesmart card( ) button.
- When prompted, insert the smart card to verify that smart card authentication is successful.
- Enter the PIN for the smart card, and click the arrow to submit.If smart card authentication is successful, end users can connect to the portal or gateway specified in the configuration without having to re-enter their smart card PIN.
- Launch the GlobalProtect app by clicking the system tray icon. The status panel opens.
- Click the hamburger menu to open theSettingspanel.
- On theSettingspanel,Sign Outto clear your saved user credentials from the GlobalProtect app.
- Reconnect to GlobalProtect with the same smart card PIN.The GlobalProtect app displays a smart card PIN error if the PIN is not valid.
Recommended For You
Recommended videos not found.