>
    Improvements for Multi Authentication CIE Experience
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect User Authentication
    4. Improvements for Multi Authentication CIE Experience
    Download PDF
    GlobalProtect

    Improvements for Multi Authentication CIE Experience

    Table of Contents

    Improvements for Multi Authentication CIE Experience

    Improvements for Mutli Authentication CIE Experience
    Where Can I Use This?What Do I Need?
    • GlobalProtect License Subscription
    • Prisma Access
    • GlobalProtect app version 6.3.1 or later
    • GlobalProtect app running on Windows platforms
    When CIE (SAML) multi-authentication is configured for the GlobalProtect app as the authentication method, end users are no longer required to enter their single sign-on (SSO) credentials when they try to authenticate to the app.
    You can now predeploy the registry key CASSKIPHUBPAGE (path: \HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings) on the Windows endpoints to enable this feature.
    After you enable this feature, end users are not prompted to enter their SAML credentials while authenticating to the app using the embedded browser or the default browser. This feature is supported only on Windows platforms.
    End-users do not need to enter SAML credentials in the SSO hub page when:
    • The device wakes up from the sleep mode
    • After a system reboot
    • When the user unlocks the device
    By default, this feature is not enabled on the Windows endpoints.
    The feature functions well with the following connect methods and supported through both embedded web-view and system default browser:
    • User-logon
    • On-Demand
    • Pre-logon
    • Pre-logon then On-demand
    Before you enable the feature, ensure that:
    • Username is configured in UPN format in CIE or the Windows endpoints are joined to Azure domain (AAD or Active Directory).
    • The cloud identity engine is configured without the Force authentication option in the authentication profile.
    • IDP/SAML session is active.
    This feature works only on Windows platforms and is not applicable on macOS platforms.
    To enable this feature, you must predeploy the setting from Windows Installer (Msiexec) use the following syntax:
    msiexec.exe /i globalprotect64.msi CASSKIPHUBPAGE=yes
    • When you predeploy the CASSKIPHUBPAGE key with value Yes, the registry key will be displayed in the Windows registry path \HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings.
    • If you have not predeployed the key, the registry will be displayed in the Windows registry path and by default the key will be empty. If you want to modify the registry value, you can set the value to Yes in the path \HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings.

    © 2024 Palo Alto Networks, Inc. All rights reserved.