topic Re: GlobalProtect SAML Azure AD Entera ID and cookies in GlobalProtect Discussions

GlobalProtect SAML Azure AD Entera ID and cookies

daniel.nicklasson — Thu, 08 Feb 2024 12:26:51 GMT

Hi, we have recently implemented Azure Entera ID SAML auth on our portal/gateway on a customer. This works fine with authenticating.

However there is a small quirk that is annoying. Everytime the client needs to connect, they have to choose which account to use (They have other private Office accounts as well as the business one). Even though they are logged in with their main account, it is still asking for which account to use.

See screenshots for more details: https://imgur.com/a/qqQd8Kd

How do you use your SAML auth to make this work okay?

Current cookie settings:

Portal: Generate cookie Checked. Accept Cookie Checked. Lifetime 2 days.

Gateway: Generate cookie Unchecked. Accept Cookie Checked. Lifetime 24 hours.

Thanks

Re: GlobalProtect SAML Azure AD Entera ID and cookies

reaper — Fri, 09 Feb 2024 09:14:19 GMT

AFAIK this is a side effect of how windows stores identities once you have a SAML token for an account in your system. The SAML authentication is a direct connection with the IdP which retrieves your stored identities

Re: GlobalProtect SAML Azure AD Entera ID and cookies

ThomasZetzsche — Sun, 11 Feb 2024 19:14:36 GMT

Not exactly you case, our ousers just have one Account, but to avoid tons of Auth Requests (MFA for example) we create and also accept then cookies. helps also when user changes in the office from LAN to WLAN for example.