topic Add PreLogon to Existing Portal in GlobalProtect Discussions https://live.paloaltonetworks.com/t5/globalprotect-discussions/add-prelogon-to-existing-portal/m-p/560532#M4471 <P>Hi Everyone,</P> <P>&nbsp;</P> <P>Our current setup is a GlobalProtect portal that utilizes SSO via the free Okta service.&nbsp; This serves our customers as well as our internal staff.</P> <P>&nbsp;</P> <P>I'd like to switch our internal staff laptops to the prelogon method, so they automatically connect with their AD machine cert, and after they login to their laptop, it passes on their username/password to GlobalProtect.&nbsp; All while not interrupting the normal SSO/Okta flow for our other users.</P> <P>&nbsp;</P> <P>The only hitch is, the user workstation logins are on a different domain than the one that's connected to Okta.&nbsp; So, would I make a new Client Authentication setting?&nbsp; And where would I place it in the priority list?</P> <P>&nbsp;</P> <P>I'm assuming then I could make a new agent config, using the certificate device check for the AD domain CA, and assign custom&nbsp; DNS servers, etc.</P> <P>&nbsp;</P> <P>Any advice/help is greatly appreciated!</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 04 Oct 2023 13:34:34 GMT mwagner00 2023-10-04T13:34:34Z Add PreLogon to Existing Portal https://live.paloaltonetworks.com/t5/globalprotect-discussions/add-prelogon-to-existing-portal/m-p/560532#M4471 <P>Hi Everyone,</P> <P>&nbsp;</P> <P>Our current setup is a GlobalProtect portal that utilizes SSO via the free Okta service.&nbsp; This serves our customers as well as our internal staff.</P> <P>&nbsp;</P> <P>I'd like to switch our internal staff laptops to the prelogon method, so they automatically connect with their AD machine cert, and after they login to their laptop, it passes on their username/password to GlobalProtect.&nbsp; All while not interrupting the normal SSO/Okta flow for our other users.</P> <P>&nbsp;</P> <P>The only hitch is, the user workstation logins are on a different domain than the one that's connected to Okta.&nbsp; So, would I make a new Client Authentication setting?&nbsp; And where would I place it in the priority list?</P> <P>&nbsp;</P> <P>I'm assuming then I could make a new agent config, using the certificate device check for the AD domain CA, and assign custom&nbsp; DNS servers, etc.</P> <P>&nbsp;</P> <P>Any advice/help is greatly appreciated!</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 04 Oct 2023 13:34:34 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/add-prelogon-to-existing-portal/m-p/560532#M4471 mwagner00 2023-10-04T13:34:34Z