https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-sso-saml-azure-ad-microsoft-sso-login-page/m-p/334229#M219 <P>Hi,</P><P>&nbsp;</P><P>PanOS supports SP initiated authentication for SAML, so when the user authenticates to the idP, the client will hold an SSO cookie, to authenticate all subsequent connections, hence SSO will work. But if the Cookie expires from the idP side and/or login lifetime has expired on the firewall, then the user will be initiated to authenticate again.&nbsp;<BR /><BR />You can extend the login time from your idP side, as well as the firewall Login Lifetime on the gateway side. If both of these are extended, then the user should be able to authenticate for a longer period of time, but they will still be prompted to authenticate once the SSO session expires.&nbsp; Currently, the GP client uses an embedded browser like IE for windows, and it can't use the SSO session from let's say Chrome browser, where the user might have already authenticated to the idp.&nbsp;<BR /><BR />Starting GP client 5.2, you will have the option to set a default browser for the user i.e. Chrome and it should allow GP client to use SSO session if the user has already authenticated to the idp.&nbsp;<BR /><BR />Let me know if that helps!<BR /><BR />Thanks and stay safe</P> Fri, 19 Jun 2020 00:22:08 GMT khans 2020-06-19T00:22:08Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-sso-saml-azure-ad-microsoft-sso-login-page/m-p/334142#M214 <P>Hi,</P><P>&nbsp;</P><P>Why sometime we see the Microsoft SSO Login page requesting password ?&nbsp;</P><P>&nbsp;</P><P>Most of the time, this is seemless and transparent to user, and we do not have to enter username/password which show me that SSO is working great. However, like I said, sometime, we got the&nbsp;Microsoft SSO Login page requesting password.</P><P>&nbsp;</P><P>I'm just wondering which cause the Microsoft Login page to request entering password during logon.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 18 Jun 2020 17:42:42 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-sso-saml-azure-ad-microsoft-sso-login-page/m-p/334142#M214 Dominic_Longpre 2020-06-18T17:42:42Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-sso-saml-azure-ad-microsoft-sso-login-page/m-p/334229#M219 <P>Hi,</P><P>&nbsp;</P><P>PanOS supports SP initiated authentication for SAML, so when the user authenticates to the idP, the client will hold an SSO cookie, to authenticate all subsequent connections, hence SSO will work. But if the Cookie expires from the idP side and/or login lifetime has expired on the firewall, then the user will be initiated to authenticate again.&nbsp;<BR /><BR />You can extend the login time from your idP side, as well as the firewall Login Lifetime on the gateway side. If both of these are extended, then the user should be able to authenticate for a longer period of time, but they will still be prompted to authenticate once the SSO session expires.&nbsp; Currently, the GP client uses an embedded browser like IE for windows, and it can't use the SSO session from let's say Chrome browser, where the user might have already authenticated to the idp.&nbsp;<BR /><BR />Starting GP client 5.2, you will have the option to set a default browser for the user i.e. Chrome and it should allow GP client to use SSO session if the user has already authenticated to the idp.&nbsp;<BR /><BR />Let me know if that helps!<BR /><BR />Thanks and stay safe</P> Fri, 19 Jun 2020 00:22:08 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/gp-sso-saml-azure-ad-microsoft-sso-login-page/m-p/334229#M219 khans 2020-06-19T00:22:08Z