https://live.paloaltonetworks.com/t5/globalprotect-discussions/vpn-sso-with-mfa-every-time/m-p/521883#M3443 <P>Hi</P> <P>&nbsp;</P> <P>We have recently purchased a Palo Alto firewall and connect to the VPN using GlobalProtect.&nbsp;</P> <P>&nbsp;</P> <P>For Teams/Sharepoint etc. We use Azure MFA where a push notification comes through to the authenticator app and to get this working on GlobalProtect we had to set up a radius server.</P> <P>&nbsp;</P> <P>The reason we can't use Azure MFA with GlobalProtect is that we want someone to be prompted for MFA <U>every time</U> they connect to the VPN.&nbsp; This works with radius but with Azure MFA you only get prompted once per hour.</P> <P>&nbsp;</P> <P>The problem we have is that now we can't use single sign on for Global Protect as this doesn't work with Radius.</P> <P>&nbsp;</P> <P>Is there any way around this - so we can have single sign on and be prompted for MFA on the microsoft authenticator app every time?</P> <P>&nbsp;</P> <P>Thanks!</P> Mon, 21 Nov 2022 15:41:25 GMT edmozley 2022-11-21T15:41:25Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/vpn-sso-with-mfa-every-time/m-p/521883#M3443 <P>Hi</P> <P>&nbsp;</P> <P>We have recently purchased a Palo Alto firewall and connect to the VPN using GlobalProtect.&nbsp;</P> <P>&nbsp;</P> <P>For Teams/Sharepoint etc. We use Azure MFA where a push notification comes through to the authenticator app and to get this working on GlobalProtect we had to set up a radius server.</P> <P>&nbsp;</P> <P>The reason we can't use Azure MFA with GlobalProtect is that we want someone to be prompted for MFA <U>every time</U> they connect to the VPN.&nbsp; This works with radius but with Azure MFA you only get prompted once per hour.</P> <P>&nbsp;</P> <P>The problem we have is that now we can't use single sign on for Global Protect as this doesn't work with Radius.</P> <P>&nbsp;</P> <P>Is there any way around this - so we can have single sign on and be prompted for MFA on the microsoft authenticator app every time?</P> <P>&nbsp;</P> <P>Thanks!</P> Mon, 21 Nov 2022 15:41:25 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/vpn-sso-with-mfa-every-time/m-p/521883#M3443 edmozley 2022-11-21T15:41:25Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/vpn-sso-with-mfa-every-time/m-p/522497#M3458 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/258035">@edmozley</a>,</P> <P>I am not sure if I understand your question, so let me know if I got it wrong.</P> <P>If you want GlobalProtect to prompt user only once every hour, the simple way is to use <A href="https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/authentication/about-globalprotect-user-authentication/how-does-the-app-know-what-credentials-to-supply/cookie-authentication-on-the-portal-or-gateway" target="_blank">Cookie Authentication on the Portal or Gateway (paloaltonetworks.com)</A></P> <P>&nbsp;</P> <P>Basically when user have authenticated successfully, FW will generate a cookie which will be sent to the GP client (you can configure the lifetime duration of the cookie, aka how long after its creations is considered valid). Upon next connection GP client will first send it cookie (if such exist on the machine), FW will check its validity and if it valid will authenticate the user without prompting the user for credentials.</P> Sun, 27 Nov 2022 17:07:24 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/vpn-sso-with-mfa-every-time/m-p/522497#M3458 aleksandar.astardzhiev 2022-11-27T17:07:24Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/vpn-sso-with-mfa-every-time/m-p/583432#M5244 <P>Hello, where you able to find a way to prompt a user for MFA each time they sign on using Microsoft Authentication and SAML?&nbsp;</P> Thu, 11 Apr 2024 20:17:20 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/vpn-sso-with-mfa-every-time/m-p/583432#M5244 cdamore 2024-04-11T20:17:20Z