https://live.paloaltonetworks.com/t5/globalprotect-discussions/saml-authentication-users-not-prompted-for-password-or-mfa/m-p/565200#M4611 <P>Hi all,</P> <P>We've setup SAML / SSO and all works OK , however, when GlobalProtect starts, it automatically connects without asking for any creds. I'm assuming this is a result of the machine being joined to the same domain so the password is not needed. However, I'd like to configure it so that at least an MFA prompt occurs.&nbsp;</P> <P>&nbsp;</P> <P>Connecting on a non joined machine does exhibit this behavior.&nbsp;</P> Fri, 10 Nov 2023 18:43:08 GMT SethEfrat 2023-11-10T18:43:08Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/saml-authentication-users-not-prompted-for-password-or-mfa/m-p/565200#M4611 <P>Hi all,</P> <P>We've setup SAML / SSO and all works OK , however, when GlobalProtect starts, it automatically connects without asking for any creds. I'm assuming this is a result of the machine being joined to the same domain so the password is not needed. However, I'd like to configure it so that at least an MFA prompt occurs.&nbsp;</P> <P>&nbsp;</P> <P>Connecting on a non joined machine does exhibit this behavior.&nbsp;</P> Fri, 10 Nov 2023 18:43:08 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/saml-authentication-users-not-prompted-for-password-or-mfa/m-p/565200#M4611 SethEfrat 2023-11-10T18:43:08Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/saml-authentication-users-not-prompted-for-password-or-mfa/m-p/565271#M4617 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/331192">@SethEfrat</a> ,</P> <P>&nbsp;</P> <P>When SAML/SSO does not prompt for creds or MFA, it is almost always an authentication cookie.&nbsp; Check you IdP authentication cookie settings.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Mon, 13 Nov 2023 00:40:01 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/saml-authentication-users-not-prompted-for-password-or-mfa/m-p/565271#M4617 TomYoung 2023-11-13T00:40:01Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/saml-authentication-users-not-prompted-for-password-or-mfa/m-p/569706#M4731 <P>This might be a known issue that is being addressed on PANOS 10.2.5 where a<SPAN>ddressed a situation where the firewall failed to appropriately initiate Single Log-out (SLO) towards the client, leading to the client's inability to trigger the SLO request towards the identity provider (IdP). Consequently, this led to the IdP not executing the SLO callback to the firewall for user removal.</SPAN></P> <P><SPAN>I</SPAN>ssue ID:&nbsp;PAN-213296</P> <P>&nbsp;</P> <P>Can be found on PANOS 10.2.5 release notes:</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-5-known-and-addressed-issues/pan-os-10-2-5-addressed-issues" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-5-known-and-addressed-issues/pan-os-10-2-5-addressed-issues</A></P> Wed, 13 Dec 2023 13:43:04 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/saml-authentication-users-not-prompted-for-password-or-mfa/m-p/569706#M4731 jfernandez1 2023-12-13T13:43:04Z