https://live.paloaltonetworks.com/t5/general-topics/globalprotect-saml-auth-with-azure-and-mfa-not-prompting-for-mfa/m-p/591287#M117744 <P>Hello</P> <P><SPAN>What connectivity mode were you using : Always or Pre-Logon</SPAN></P> <P>was&nbsp;<SPAN>'single sign out' enabled on saml auth profile still required after modifing the Session Sign-in Frequency on the contitional access a requirements to continue prompting for MFA?</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 05 Jul 2024 20:01:41 GMT bauernet32 2024-07-05T20:01:41Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-saml-auth-with-azure-and-mfa-not-prompting-for-mfa/m-p/576241#M115662 <P>Hi All,</P> <P>There are a few topics on this.. I read most of them still unable to resolve this..</P> <P>we have panorama with managed FWs (10.2.6) and GP portal and GW setup pointing to SAML profile that integrates into Azure and Azure IdP for MFA</P> <P>&nbsp;</P> <P>at first logon, i was prompted for MFA and connected successfully.</P> <P>log off, log back in again and does not prompt for MFA anymore.</P> <P>i have 'single sign out' enabled on my saml auth profile.</P> <P>in my gateway &gt; agents &gt; connection settings I have 'authentication cookie usage restrictions' disabled.</P> <P>I deleted default browser cookies, deleted all gp cookies i can find on my local system.</P> <P>&nbsp;</P> <P>however, when I reconnect it connects without asking for MFA.</P> <P>any other settings i might need to look at on PA perhaps? or where this specific cookie is kept that is telling MFA i am still valid?</P> <P>&nbsp;</P> <P>could this being a setting on Azure in the GP enterprise application? ie conditional access policy etc?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>edit:&nbsp; ok looks like it is by design using PRT (primary refresh tokens) - we are MFA'd, but just not realizing it perhaps <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>found a good article on this below</P> <P>&nbsp;</P> <P><A href="https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/why-are-my-users-not-prompted-for-mfa-as-expected/ba-p/1449032" target="_blank" rel="noopener">https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/why-are-my-users-not-prompted-for-mfa-as-expected/ba-p/1449032</A></P> <P>&nbsp;</P> <P>.</P> <P>&nbsp;</P> <P>any ideas?</P> <P>thanks</P> <P>&nbsp;</P> Tue, 06 Feb 2024 12:46:38 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-saml-auth-with-azure-and-mfa-not-prompting-for-mfa/m-p/576241#M115662 PA_nts 2024-02-06T12:46:38Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-saml-auth-with-azure-and-mfa-not-prompting-for-mfa/m-p/576244#M115663 <P>changing conditional access in Azure to require MFA with every authentication should fix the issue (make sure you're not using authentication cookies on the gateway)</P> Tue, 06 Feb 2024 12:40:48 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-saml-auth-with-azure-and-mfa-not-prompting-for-mfa/m-p/576244#M115663 reaper 2024-02-06T12:40:48Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-saml-auth-with-azure-and-mfa-not-prompting-for-mfa/m-p/576430#M115689 <P>Hi Reaper,</P> <P>thanks for that.. we did the following with the following results..</P> <P>note. auth cookies are disabled on the FWs</P> <P>&nbsp;</P> <P>created a conditional policy for palo alto globalprotect and set the 'Session sign-in frequency' to 1 hour to do MFA</P> <P>logged in to gp app and was prompted for MFA.. great. disconnected and reconnected (no MFA second time round) so will wait an hour and see if this prompts for MFA again. hope it does.</P> <P>&nbsp;</P> <P>however i fear this might only be for BYOD / third parties and not applicable to Azure AD joined devices ie company laptops.. will test this still later today with client device.</P> <P>&nbsp;</P> <P>2 more things and might post new discussions on them..</P> <P>sometimes i get a 'can't reach this page' error for <A href="https://login.microsftonline.com" target="_blank">https://login.microsftonline.com</A> when connecting to gp vpn - then close it, reconnect and it works.. might be bug or something. happens intermittently it seems.</P> <P>the other thing. i suspect because i have saml auth profile applied to both portal and gateway, i get prompted to select my azure account twice. will investigate on this still.</P> <P>&nbsp;</P> <P>anyways.. will keep this post updated with findings.</P> <P>thanks</P> <P>&nbsp;</P> Wed, 07 Feb 2024 10:22:27 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-saml-auth-with-azure-and-mfa-not-prompting-for-mfa/m-p/576430#M115689 PA_nts 2024-02-07T10:22:27Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-saml-auth-with-azure-and-mfa-not-prompting-for-mfa/m-p/576436#M115690 <P>on the 2x authentication: this can be an expected behavior as you're also authenticating twice (portal and gw are different entities)</P> <P>this can be bridged by setting the portal to accept cookies for example, so that you can always use cookies to auth against the portal to retrieve configuration etc, but need to auth against the gateways</P> <P>the reverse is also possible</P> <P>&nbsp;</P> <P>for the microsoftonline url, you could try creating split tunnel config to ensure authentication always happens outside of the tunnel regardless of what your connection state is</P> Wed, 07 Feb 2024 11:18:55 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-saml-auth-with-azure-and-mfa-not-prompting-for-mfa/m-p/576436#M115690 reaper 2024-02-07T11:18:55Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-saml-auth-with-azure-and-mfa-not-prompting-for-mfa/m-p/576763#M115757 <P>thanks..</P> <P>so i have configured the portal to generate cookies and for the gateway to accept cookies.. this seems to work and resolve the dual auth issue.</P> <P>randomly still getting the 'can't find this page' error upon first connection.. when you close it and reconnect, it then goes through as expected. it's also intermittent, sometimes goes in first time round.. other times get the error, close the window, reconnect then it works.</P> <P>will log a tac also as not finding many docs on this issue on pan site atm.</P> <P>&nbsp;</P> <P>edit: in portal/agent/name/app - ipv6 preferred was set to yes.. changed to no.</P> <P>also changed 'use default browser for saml authentication' from no to yes</P> <P>seems to be working sofar.. will get users to test and confirm it finally resolved.</P> <P>&nbsp;</P> Fri, 09 Feb 2024 08:42:12 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-saml-auth-with-azure-and-mfa-not-prompting-for-mfa/m-p/576763#M115757 PA_nts 2024-02-09T08:42:12Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-saml-auth-with-azure-and-mfa-not-prompting-for-mfa/m-p/591287#M117744 <P>Hello</P> <P><SPAN>What connectivity mode were you using : Always or Pre-Logon</SPAN></P> <P>was&nbsp;<SPAN>'single sign out' enabled on saml auth profile still required after modifing the Session Sign-in Frequency on the contitional access a requirements to continue prompting for MFA?</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 05 Jul 2024 20:01:41 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-saml-auth-with-azure-and-mfa-not-prompting-for-mfa/m-p/591287#M117744 bauernet32 2024-07-05T20:01:41Z