SSO Wrapping for Third-Party Credential Providers on Windows Endpoints
On Windows 7 and Windows Vista endpoints, the GlobalProtect
agent utilizes the Microsoft credential provider framework to support
single sign-on (SSO). With SSO, the GlobalProtect credential provider
wraps the Windows native credential provider, which enables GlobalProtect
to use Windows login credentials to automatically authenticate and connect
to the GlobalProtect portal and gateway.
In some scenarios when other third-party credential providers
also exist on the client, the GlobalProtect credential provider
is unable to gather a user's Windows login credentials and, as a
result, GlobalProtect fails to automatically connect to the GlobalProtect
portal and gateway. If SSO fails, you can identify the third-party
credential provider and then configure the GlobalProtect agent to
wrap those third-party credentials, which enables users to successfully
authenticate to Windows, GlobalProtect, and the third-party credential provider—all
in a single step—using only their Windows login credentials when
they log in to their Windows system.
Optionally, you can configure Windows to display separate login
tiles: one for each third-party credential provider and another
for the native Windows login. This is useful when a third-party
credential provider adds additional functionality in the login tile
that does not apply to GlobalProtect.
If you want to remove the GlobalProtect credential
provider from your Windows client, execute the
the Command Prompt.
Use the Windows registry or the Windows Installer (Msiexec) to
allow GlobalProtect to wrap third-party credentials:
GlobalProtect SSO wrapping for third-party
credential providers (CPs) is dependent on the third-party CP settings
and, in some cases, GlobalProtect SSO wrapping might not work correctly
if the third-party CP implementation does not allow GlobalProtect
to successfully wrap their CP.