Single Sign-On (SSO) Using Smart Card Authentication
Focus
Focus
GlobalProtect

Single Sign-On (SSO) Using Smart Card Authentication

Table of Contents

Single Sign-On (SSO) Using Smart Card Authentication

Software Support
: Starting with GlobalProtect™ app 6.0 with Content Release version 8451-6911 or later.
OS Support
: Windows 10
If you have configured the GlobalProtect portal to authenticate end users through single sign-on (SSO) using smart card authentication, end users can now connect without having to re-enter their smart card Personal Identification Number (PIN) in the GlobalProtect app for a seamless SSO experience. End users can leverage the same smart card PIN for GlobalProtect with their Windows endpoint. This improves the user experience by reducing the number of times end users must enter their smart card PIN when they log in. After the end user successfully logs in to the Windows endpoint, the GlobalProtect app acquires and remembers their smart card PIN to authenticate with the GlobalProtect portal and gateway.
You can define the type of PIN caching policy for Windows that is associated with the PIN for the smart card provider. The PIN is cached only if allowed from the smart card provider. GlobalProtect clears the PIN from the cache if end users manually sign out of the GlobalProtect app, sign out of Windows, or the PIN is changed.
  1. Set the pre-deployed setting on Windows endpoints to use SSO for smart card authentication.
    You must set the pre-deployed setting on the end user endpoints before you can enable SSO for smart card PIN. GlobalProtect retrieves this entry only once, when the GlobalProtect app initializes.
    If the
    USESSOPIN
    value is set to
    yes
    in the pre-deployed setting of the client machine and the
    Use Single Sign-On for Smart Card PIN (Windows)
    option is set to
    no
    in the portal configuration, end users will not have the best user experience. The
    Use Single Sign-On for Smart Card PIN (Windows)
    option of the GlobalProtect portal and the pre-deployed setting in the end user machine must have the same value to provide the best user experience.
    If you set both
    Use Single Sign-On (Windows)
    and
    Use Single Sign-On for Smart Card PIN (Windows)
    options to
    yes
    in the portal configuration, the
    Use Single Sign-On for Smart Card PIN (Windows)
    option takes precedence over the
    Use Single Sign-On (Windows)
    option.
    On Windows endpoints, set the
    USESSOPIN
    value to
    yes
    from the Windows Installer (Msiexec) using the following syntax:
    msiexec.exe /i GlobalProtect64.msi USESSOPIN="yes"
    1. Assign the certificate profile associated with the smart card to the GlobalProtect portal.
    2. Configure the gateway to authenticate end users based on a smart card.
  2. Enable the GlobalProtect app so that end users can leverage the same smart card PIN for GlobalProtect with their Windows endpoint.
    1. Select
      Network
      GlobalProtect
      Portals
      <portal-config>
      Agent
      <agent-config>
      App
      Use Single Sign-On for Smart Card PIN (Windows)
      .
    2. Select
      Yes
      to enable the GlobalProtect app to use SSO for smart card PIN.
  3. Click
    OK
    twice.
  4. Commit
    the configuration.
  5. Log in to the Windows endpoint using the smart card PIN.
    1. Click
      Sign-in options
      , and then click the
      smart card
      (
      ) button.
    2. When prompted, insert the smart card to verify that smart card authentication is successful.
    3. Enter the PIN for the smart card, and click the arrow to submit.
      If smart card authentication is successful, end users can connect to the portal or gateway specified in the configuration without having to re-enter their smart card PIN.
  6. (
    Optional
    ) Log in to GlobalProtect using the same smart card PIN.
    End users can leverage the same smart card PIN that they used to log in to their Windows endpoint.
    1. Launch the GlobalProtect app by clicking the system tray icon. The status panel opens.
    2. Click the hamburger menu to open the
      Settings
      panel.
    3. On the
      Settings
      panel,
      Sign Out
      to clear your saved user credentials from the GlobalProtect app.
    4. Reconnect to GlobalProtect with the same smart card PIN.
      The GlobalProtect app displays a smart card PIN error if the PIN is not valid.

Recommended For You