The SSO Client enables users to authenticate to the network before logging on to Windows (local account).
How does it work?
Single Sign-On (SSO) represents a means of obtaining EAP method specific credentials for a network user or computer account in a secure fashion without having the user needing to log in multiple times (to the PC and then into the network). The Appgate SDP SSO Client is a version of the Windows Client that adds a custom Appgate SDP Windows sign-in screen.
Once installed the Appgate SDP SSO client will add an additional sign-in option available in the Windows sign-in screen. This screen captures the Windows (domain) credentials for use by Appgate SDP for provisioning authenticated access and for Windows to then perform network (as opposed to cached credential) authentication. This allows the user to enter their credentials just once and not have to log into Appgate SDP after logging in to Windows.
NOTE
When installed, it is not possible to use the Client in a regular way. SSO mode must be used at all times.
Windows 10
To access the Appgate SDP SSO sign-in page first enter the Windows sign-in screen and press the following icon on the lower left screen:
The user has to provide their username and password at the Appgate SDP SSO sign-in page. Username should consist of both the domain and user in the following format: 'domain\user'. Once the user has logged in to Windows the Appgate SDP Client will be running similar to the experience when running the normal Appgate SDP Client. In case of Appgate SDP SSO sign-in the user will already be logged in to the Client and have limited options. The user can't quit or log out from the Client. This is done automatically when the user logs out from Windows.
Background information
System limitations
Join the machine to the domain or you will not be able to use the SSO client to sign-in even with valid domain credentials.
The SSO client will fail to on-board if the user has already on-boarded using the normal Appgate SDP. On-boarding has to be done from the Appgate SDP SSO client for a user on a specific computer.
Set the Windows security Policy to show the last logged in username / user profiles from the sign-in screen.
Local users can't use the normal Appgate SDP Client once the Appgate SDP SSO Client is installed.
The Windows SSO (PLAP) Client uses standard executables:
Service Configurator - is included to configure the SSO Client. Requires that the Appgate SDP Service is running.
The Client
How to install
To install the client as a SSO service the installation needs to be run with the switch /L. It is recommended to run it using the /S (silent installation) switch. Refer to Windows Client for a full explanation of all the installation switch options. So run the following command from a command prompt to install the Windows SSO (PLAP) Client using silent mode and wait until installer is finished:
start "" /WAIT "Appgate-SDP-x.y.z-Installer.exe" /L /S /G /P="appgate://url.com"
Powershell requires slightly diffferent syntax:
start "Appgate-SDP-x.y.z-Installer.exe" -ArgumentList ' /L /S /G /P="appgate://url.com" '
NOTE
The profile link included after the /P switch can be obtained from the Client Profiles UI.
An existing Appgate SDP installation can be upgraded to run as Windows SSO Client by simply running installer with /L and additional parameters (e.g. /P). The Client will be upgraded and the Windows SSO Client installed. Any existing configuration set for the normal Client will not be transferred to the SSO sign-in screen.
NOTE
Always provide the /L flag every time the Appgate SDP Client is installed, upgraded or reinstalled to keep the Appgate SDP SSO functionality installed.
Once installed there will be an Appgate SDP folder in the start menu of Windows. This will contain the uninstaller for the client and a shortcut to the configurator.
Use services.msc to make sure both Appgate SDP Client SSO(PLAP) Service (appgateplapservice) and Appgate SDP Driver Control (cxdriver) exists as a service and that both are running.
Configuring Domain access
The Windows SSO (PLAP) Client is designed to work as if the PC was on the LAN and able to talk to the Domain Controller. For this to happen when the LAN is only accessible through an Appgate SDP Gateway, the right must be in place. Refer to Allowing full 'network like' access for users
How to set or change the configuration
The configurator is an optional tool that can be used to configure and test configurations of the Windows SSO (PLAP) Client e.g. testing that the controller URL, certificate and provider is working correctly. The user will need to sign in again after using the set or reset commands. Refer to configurator tool.
How to uninstall
To uninstall the headless client simply run uninstaller from start menu shortcut or Windows `Add or Remove Programs`. Notice that any configuration of the SSO client will not be removed on uninstall, only the client binaries.