The Challenge: Balancing Security and User Experience
In the modern era of work where users, apps, devices, and data can reside anywhere and everywhere,enterprises are faced with an expanding attack surface and are required to provide an exceptional, frictionless experience for users. This is why it is essential that organizations deliver always-on universal Zero-Trust Network Access to ensure a resilient and robust security posture. This includes inspecting all traffic through continuous trust verification, continuous security inspection and least-privilege access. However, this rigorous security cannot compromise user productivity. Frequent authentication prompts and complex login procedures can lead to frustrated users, decreased productivity and an increased risk of a breach.The key to a successful always-on security is seamless connectivity, where users are seamlessly and securely connected to the security stack as soon as they log in to their devices, without requiring additional user interaction or manual steps. Palo Alto Networks Prisma SASE, through its unified agent (GlobalProtect), offers multiple methods to achieve a secure Single Sign-On experience.
Core Solution: The Prisma SASE Unified Agent
The Prisma SASE unified access agent is the cornerstone of providing seamless and secure connectivity for users regardless of their location. When deployed on managed devices, the agent can be configured to automatically connect users to the Prisma Access upon device login. There are various authentication methods & deployment approaches that can eliminate the need for manual interaction, enhancing both security and the end-user experience.
Authentication Methods for Seamless SSO
The choice of authentication method depends on an organization's existing identity infrastructure, security requirements, and the platforms in use. The following methods provide a path to a transparent authentication experience.
Windows Hello for Business (SAML-based)
Windows Hello for Business is an extension of Windows Hello that provides enterprise-grade security and management capabilities, including device attestation, certificate-based authentication, and conditional access policies. Policy settings can be deployed to devices to ensure they're secure and compliant with organizational requirements.
GlobalProtect, Palo Alto Networks Unified SASE Agent supports use of Windows Hello for Business to support seamless authentication.
In a Microsoft entra-joined environment with SSO enabled, users are not required to enter their credentials in order to authenticate to Prisma Access / NGFW using GlobalProtect. This seamless experience is true whether the user is logging in to their environment for the first time or whether they have logged in before.
In a non entra-joined environment with SSO enabled, users must enter their credentials during the initial login. On subsequent logins, the credentials are auto-filled as long as the SAML identity provider (IdP) session is active and has not timed out.
GlobalProtect supports the use of Default Browser & the native embedded browser to complete the SAML authentication. To achieve a native experience, the recommendation is to use the embedded browser.
MacOS Platform SSO
Apple macOS 13 and later, support an advanced authentication framework , designed to streamline and secure user sign-in experiences across Mac devices by integrating with modern identity providers (IdPs) like Microsoft Entra ID and Okta. Platform SSO lets users sign into their Mac using their IdP credentials (such as Microsoft Entra ID or other supported providers). Once authenticated, users gain seamless access to GlobalProtect without repeated logins. Platform SSO also supports Hardware-bound cryptographic keys stored in the Mac’s Secure Enclave and smart cards for achieving seamless SSO. To configure and manage the platform SSO settings, we also need a supported MDM solution like Intune or JamfPro.
GlobalProtect as a Credential Provider
For organizations using traditional authentication services such as ActiveDirectory/LDAP or RADIUS, the GlobalProtect credential provider integrates directly with the Windows login process to facilitate seamless Single Sign-On (SSO). It functions by wrapping the native Windows credential provider, which allows GlobalProtect to capture and use the user's Windows login credentials to automatically authenticate and connect to the GlobalProtect portal and gateway.
In this deployment, the user logs into their machine as usual. The Unified Agent uses these same credentials in the background to connect, requiring no additional input from the user.
Recommended Configuration:
Enforce the Unified Agent as the default credential provider for Windows & macOS. In the portal configuration, enable "Use Single Sign-On".
As a fallback, setting "Save User Credentials" to "Yes" ensures authentication remains seamless if the primary SSO method fails.
Managing Third-Party Providers: Conflicts can arise if other third-party credential providers are installed, potentially causing SSO to fail. To resolve this, GlobalProtect can be configured to wrap the third-party credential provider. This enables seamless authentication across Windows, GlobalProtect, and the third-party system. This configuration can be managed via the Windows Registry or directly in the GlobalProtect settings. Alternatively, separate login tiles can be configured for each provider.
Certificate-Based Authentication
Certificate-based authentication is a highly secure and seamless method that eliminates the need for passwords entirely. The use of certificate-only authentication is suggested only for authentication to internal gateways. For external gateways, it is recommended that a certificate is used as an additional factor of authentication or as a way to authorize the device.
On devices with multiple certificates, the user may be prompted to select the correct one, breaking the seamless experience. To prevent this, administrators can configure the Extended Key Usage (EKU) OID in the Unified Agent settings. The agent will use the OID to automatically identify and present the correct certificate for authentication without user intervention.
Authentication Override Cookies
GlobalProtect’s Authentication Override cookie helps with SSO by allowing users to authenticate once and then automatically connect to both the portal and gateway within the defined cookie lifetime. It reduces repeated credential and MFA prompts, making the authentication process seamless and user-friendly.
While the most common restriction is based on authentication cookie lifetime, it is strongly recommended to further restrict cookie usage by permitting authentication cookies only when presented from the original source IP address—or an approved subnet range—of the endpoint to which the cookie was originally issued
Conclusion
In today’s world, the most effective security is the security that users don't have to fight. The various strategies outlined for Palo Alto Networks GlobalProtect are all designed to achieve this essential goal. By integrating directly with the device login, whether through Windows Hello for Business or the GlobalProtect Credential Provider, the authentication process becomes a seamless background event rather than a recurring interruption.
When authentication is truly transparent, the promise of frictionless, secure access is fully realized. Users log in to their machines once and are instantly and continuously protected, freeing them to be productive and collaborative.
View full article