Single Sign-On (SSO) Using Smart Card Authentication
Focus
Focus
GlobalProtect

Single Sign-On (SSO) Using Smart Card Authentication

Table of Contents

Single Sign-On (SSO) Using Smart Card Authentication

Software Support: Starting with GlobalProtect™ app 6.0 with Content Release version 8451-6911 or later.
OS Support: Windows 10
If you have configured the GlobalProtect portal to authenticate end users through single sign-on (SSO) using smart card authentication, end users can now connect without having to re-enter their smart card Personal Identification Number (PIN) in the GlobalProtect app for a seamless SSO experience. End users can leverage the same smart card PIN for GlobalProtect with their Windows endpoint. This improves the user experience by reducing the number of times end users must enter their smart card PIN when they log in. After the end user successfully logs in to the Windows endpoint, the GlobalProtect app acquires and remembers their smart card PIN to authenticate with the GlobalProtect portal and gateway.
You can define the type of PIN caching policy for Windows that is associated with the PIN for the smart card provider. The PIN is cached only if allowed from the smart card provider. GlobalProtect clears the PIN from the cache if end users manually sign out of the GlobalProtect app, sign out of Windows, or the PIN is changed.
  1. Set the pre-deployed setting on Windows endpoints to use SSO for smart card authentication.
    You must set the pre-deployed setting on the end user endpoints before you can enable SSO for smart card PIN. GlobalProtect retrieves this entry only once, when the GlobalProtect app initializes.
    If the USESSOPIN value is set to yes in the pre-deployed setting of the client machine and the Use Single Sign-On for Smart Card PIN (Windows) option is set to no in the portal configuration, end users will not have the best user experience. The Use Single Sign-On for Smart Card PIN (Windows) option of the GlobalProtect portal and the pre-deployed setting in the end user machine must have the same value to provide the best user experience.
    If you set both Use Single Sign-On (Windows) and Use Single Sign-On for Smart Card PIN (Windows) options to yes in the portal configuration, the Use Single Sign-On for Smart Card PIN (Windows) option takes precedence over the Use Single Sign-On (Windows) option.
    On Windows endpoints, set the USESSOPIN value to yes from the Windows Installer (Msiexec) using the following syntax:
    msiexec.exe /i GlobalProtect64.msi USESSOPIN="yes"
  2. Set up the smart card for two-factor authentication.
    1. Assign the certificate profile associated with the smart card to the GlobalProtect portal.
    2. Configure the gateway to authenticate end users based on a smart card.
  3. Enable the GlobalProtect app so that end users can leverage the same smart card PIN for GlobalProtect with their Windows endpoint.
    1. Select NetworkGlobalProtectPortals<portal-config>Agent<agent-config>AppUse Single Sign-On for Smart Card PIN (Windows).
    2. Select Yes to enable the GlobalProtect app to use SSO for smart card PIN.
  4. Click OK twice.
  5. Commit the configuration.
  6. Log in to the Windows endpoint using the smart card PIN.
    1. Click Sign-in options, and then click the smart card (
      ) button.
    2. When prompted, insert the smart card to verify that smart card authentication is successful.
    3. Enter the PIN for the smart card, and click the arrow to submit.
      If smart card authentication is successful, end users can connect to the portal or gateway specified in the configuration without having to re-enter their smart card PIN.
  7. (Optional) Log in to GlobalProtect using the same smart card PIN.
    End users can leverage the same smart card PIN that they used to log in to their Windows endpoint.
    1. Launch the GlobalProtect app by clicking the system tray icon. The status panel opens.
    2. Click the hamburger menu to open the Settings panel.
    3. On the Settings panel, Sign Out to clear your saved user credentials from the GlobalProtect app.
    4. Reconnect to GlobalProtect with the same smart card PIN.
      The GlobalProtect app displays a smart card PIN error if the PIN is not valid.