For enhanced security,
use a certificate (in addition to your authentication service) to
obtain usernames and authenticate users to Prisma Access. To authenticate
users based on a client certificate, one of the certificate fields,
such as the Subject Name field, must identify the username. Mobile
users that successfully authenticate through client certificate
authentication, do not have the option to sign out of the GlobalProtect
app.
With Prisma Access, you can choose to require for mobile
users to pass both certificate authentication and authentication
based on the authentication type or to grant access to mobile users
as long as they’ve successfully passed only one of those checks.