Enable SSO Wrapping for Third-Party Credentials with the Windows Registry

Use the following steps in the Windows registry to enable SSO to wrap third-party credentials on Windows 7 and Windows Vista clients.
  1. Open the Windows registry and locate the globally unique identifier (GUID) for the third-party credential provider that you want to wrap.
    1. From the command prompt, enter the command regedit to open the Windows registry.
    2. Locate currently installed credential providers at the following location:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Authentication\Credential Providers.
    3. Copy the GUID key for the credential provider that you want to wrap (including the curly brackets— { and } —on either end of the GUID):
      sso-wrap-windows-reg-cp-guid.png
  2. Enable SSO wrapping for third-party credential providers by adding the setting wrap-cp-guid to the GlobalProtect registry.
    1. Go to the following Windows registry location:
      HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\ GlobalProtect:
      sso-wrap-windows-reg-path.png
    2. Add a new String Value:
      sso-wrap-windows-reg-string-value.png
    3. Enter values for the String Value:
      • Name: wrap-cp-guid
      • Value data: {<third-party credential provider GUID>}
        For the Value data field, the GUID value that you enter must be enclosed with curly brackets: { and }.
        The following is an example of what a third-party credential provider GUID in the Value data field might look like:
        {A1DA9BCC-9720-4921-8373-A8EC5D48450F}
      For the new String Value, wrap-cp-guid is displayed as the String Value’s Name and the GUID is displayed as the Data.
      sso-wrap-windows-reg-filter.png
  3. Next Steps:
    • You can configure SSO wrapping for third-party credential providers successfully by completing steps 1 and 2. With this setup, the native Windows logon tile is displayed to users. Users click the tile and log in to the system with their Windows credentials and that single login authenticates the users to Windows, GlobalProtect, and the third-party credential provider.
    • (Optional) If you want to display two tiles to users at login, the native Windows tile and the tile for the third-party credential provider, continue to 4.
  4. (Optional) Allow the third-party credential provider tile to be displayed to users at login.
    Add a second String Value with the Namefilter-non-gpcp and enter no for the string’s Value data:
    sso-wrap-windows-reg-no-filter.png
    With this string value added to the GlobalProtect settings, two login options are presented to users when logging in to their Windows system: the native Windows tile and the third-party credential provider’s tile.

Related Documentation