Enable SSO Wrapping for Third-Party Credentials with the Windows Registry

Use the following steps in the Windows Registry to enable SSO to wrap third-party credentials on Windows 7 endpoints.
  1. Open the Windows Registry and locate the globally unique identifier (GUID) for the third-party credential provider that you want to wrap.
    1. From the command prompt, enter the
      regedit
      command to open the Windows Registry Editor.
    2. Go to the following Windows Registry location to view the list of currently installed credential providers:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Authentication\Credential Providers.
    3. Copy the GUID key for the credential provider that you want to wrap (including the curly brackets —
      {
      and
      }
      — on either end of the GUID):
      sso-wrap-windows-reg-cp-guid.png
  2. Enable SSO wrapping for third-party credential providers by adding the
    wrap-cp-guid
    setting to the GlobalProtect Registry.
    1. Go to the following Windows Registry location:
      HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\ GlobalProtect:
      sso-wrap-windows-reg-path.png
    2. Right-click the
      GlobalProtect
      folder, and then select
      New
      String Value
      to add a new string value:
      sso-wrap-windows-reg-string-value.png
    3. Configure the following
      String Value
      fields:
      • Name
        :
        wrap-cp-guid
      • Value data
        : {<
        third-party credential provider GUID
        >}
        For the
        Value data
        field, the GUID value that you enter must be enclosed with curly brackets:
        {
        and
        }
        .
        The following is an example of what a third-party credential provider GUID in the
        Value data
        field might look like:
        {A1DA9BCC-9720-4921-8373-A8EC5D48450F}
      For the new
      String Value
      ,
      wrap-cp-guid
      is displayed as the string value’s
      Name
      and the GUID is displayed as the
      Value Data
      .
      sso-wrap-windows-reg-filter.png
  3. Next Steps:
    • With this setup, the native Windows logon tile is displayed to users on the logon screen. When users click the tile and log in to the system with their Windows credentials, that single login authenticates the users to Windows, GlobalProtect, and the third-party credential provider.
    • (
      Optional
      ) If you want to display multiple tiles on the logon screen (for example, the native Windows tile and the tile for the third-party credential provider), continue to step 4.
    • (
      Optional
      ) If you want to assign a default credential provider for users, continue to step 5.
    • (
      Optional
      ) If you want to hide a third-party credential provider tile from the logon screen, continue to step 6.
  4. (
    Optional
    ) Allow the third-party credential provider tile to be displayed to users at login.
    Add a second
    String Value
    with the
    Name
    filter-non-gpcp
    and enter
    no
    for the string’s
    Value data
    :
    sso-wrap-windows-reg-no-filter.png
    After you add this string value to the GlobalProtect settings, two login options are presented to users on the Windows logon screen: the native Windows tile and the third-party credential provider’s tile.
  5. Assign a default credential provider for user login.
    1. Open the Windows Registry to locate the globally unique identifier (GUID) for the third-party credential provider that you want to assign as the default credential provider.
      1. From the command prompt, enter the
        regedit
        command to open the Windows Registry Editor.
      2. Go to the following Windows Registry location to view the list of currently installed credential providers:
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Authentication\Credential Providers.
      3. Copy the complete GUID key for the credential provider (including the curly brackets —
        {
        and
        }
        —on either end of the GUID).
    2. Open the Local Group Policy Editor to enable and assign a default credential provider.
      1. From the command prompt, enter the
        gpedit.msc
        command to open the Local Group Policy Editor.
      2. Select
        Computer Configuration
        Administrative Templates
        System
        Logon
        .
      3. Under
        Setting
        , double-click
        Assign a default credential provider
        to open the
        Assign a default credential provider
        window.
      4. Set the policy to
        Enabled
        .
      5. Under
        Assign the following credential provider as the default credential provider
        , enter the GUID of the credential provider (copied from the Windows Registry).
      6. Click
        Apply
        , and the click
        OK
        to save your changes.
  6. (
    Optional
    ) Hide a third-party credential provider tile from the Windows logon screen.
    1. Open the Windows Registry to locate the globally unique identifier (GUID) for the third-party credential provider that you want to hide.
      1. From the command prompt, enter the
        regedit
        command to open the Windows Registry Editor.
      2. Go to the following Windows Registry location to view the list of currently installed credential providers:
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Authentication\Credential Providers.
      3. Copy the complete GUID key for the credential provider that you want to hide (including the curly brackets —
        {
        and
        }
        — on either end of the GUID).
    2. Open the Local Group Policy Editor to hide the third-party credential provider.
      1. From the command prompt, enter the
        gpedit.msc
        command to open the Local Group Policy Editor.
      2. Select
        Computer Configuration
        Administrative Templates
        System
        Logon
        .
      3. Under
        Setting
        , double-click
        Exclude credential providers
        to open the
        Exclude credential providers
        window.
      4. Set the policy to
        Enabled
        .
      5. Under
        Exclude the following credential providers
        , enter the GUID of the credential provider you want to hide (copied from the Windows Registry).
        To hide multiple credential providers, separate each GUID with a comma.
      6. Click
        Apply
        , and then click
        OK
        to save your changes.
  7. Finalize your changes.
    Once your changes are finalized, reboot your system for the changes to take effect.

Related Documentation