Use Single Sign-On for Smart Card Authentication
Focus
Focus
GlobalProtect

Use Single Sign-On for Smart Card Authentication

Table of Contents

Use Single Sign-On for Smart Card Authentication

If your administrator has configured the GlobalProtect portal to allow you to authenticate through single sign-on (SSO) using smart card authentication, you can connect without re-entering your smart card Personal Identification Number (PIN) in the GlobalProtect app for a seamless SSO experience. You can leverage the same smart card PIN for GlobalProtect with your Windows endpoint. You can benefit from using SSO for smart card authentication by reducing the number of times you must enter your smart card PIN when you log in. After you successfully log in to the Windows endpoint, the GlobalProtect app acquires and remembers your smart card PIN to authenticate with the GlobalProtect portal and gateway.
Your administrator can define the type of PIN caching policy for Windows that is associated with the PIN for the smart card provider. The PIN is cached only if allowed from the smart card provider. GlobalProtect clears the PIN from the cache if you manually sign out of the GlobalProtect app, sign out of Windows, or the PIN is changed.
  1. Before you can use SSO for smart card authentication, the administrator must have completed the following tasks:
    1. Set the pre-deployed setting on Windows endpoints to use SSO for smart card authentication.
      Your administrator must set the pre-deployed setting on your Windows endpoint prior to enabling SSO for smart card PIN. GlobalProtect retrieves this entry only once, when the GlobalProtect app initializes.
    2. Set up the smart card for two-factor authentication.
    3. Assign the certificate profile to the GlobalProtect portal.
    4. Configure the gateway so that you can authenticate using a smart card.
    5. Enable the GlobalProtect app to Use SSO for smart card PIN on the GlobalProtect portal so that you can levearage the same smart card PIN for GlobalProtect with your Windows endpoint.
  2. Log in to the Windows endpoint using the smart card PIN.
    1. Click Sign-in options, and then click the smart card (
      ) button.
    2. When prompted, insert the smart card to verify that smart card authentication is successful.
    3. Enter the PIN for the smart card, and click the arrow to submit.
      If smart card authentication is successful, you can connect to the portal or gateway specified in the configuration without having to re-enter your smart card PIN.
  3. (Optional) Log in to GlobalProtect using the same smart card PIN.
    You can leverage the same smart card PIN that you used to log in to your Windows endpoint.
    1. Launch the GlobalProtect app by clicking the system tray icon. The status panel opens.
    2. Click the hamburger menu to open the Settings panel.
    3. On the Settings panel, Sign Out to clear your saved user credentials from the GlobalProtect app.
    4. Reconnect to GlobalProtect with the same smart card PIN.
      The GlobalProtect app displays a smart card PIN error if the PIN is not valid.