Issue: When using sssd with smartcard login, xfce4-screensaver (or lightdm, mate, etc...) don't ask for the PIN Code, while some services (sudo, su, gdm..) do ask.

Rootcause: Before sssd-2.0 or sssd-1.16.4, the list of pam services allowed to use Smartcard (aka P11 or pkcs11) was hardcoded and cannot be overriden with configuration (https://github.com/SSSD/sssd/blob/sssd-1_16_3/src/responder/pam/pamsrv_p11.c#L230-L232) 
From these 2 releases, the configuration "pam_p11_allowed_services" in section [pam] of /etc/sssd/sssd.conf allows to add more services, like XFCE elements:

Request: Specifcy in the documentation the need to update sssd.conf accordingly: 

  # /etc/sssd/sssd.conf
  [pam]
  pam_p11_allowed_services = +xfce4-screensaver


Scenario :
1) xfce4-screensaver (or any other pam enabled application) wants to auth the user
2) Calls pam_start (service xfce4-screensaver)
3) in /etc/pam.d/xfce4-screensaver (or included files) there must be a line with "auth pam_sss.so"
4) pam_sss.so will talk to the sss daemon through /var/lib/sss/pipes/pam socket. In this conversation, pam_sss will provide the name of the pam service being serviced
6) sss_pam will check if the service is allowed to use smartcard auth. If so, It'll spawn /usr/libexec/sssd/p11_child to work with the pkcs11 stack (/usr/share/p11-kit/modules)
7) "p11_child --pre" will communicate with pcscd through /var/run/pcscd/pcscd.comm to read a smartcard through the USB device and list available certificates.
8) sss_pam will filter these certificates and if one matches, ask the user for the PIN Code (through pam_message)
9) "echo -n 12345 | p11_child --auth --pin  ..." will return 0 if referenced certificate is valid for sssd, 1 if any error occurs
10) pam sequence continues according to configuration.