Avoid reauth in Captive portal

BigPalo — Thu, 25 Jun 2026 09:35:15 GMT

Hi,

I have captive portal for auth users with SAML. Users are being prompted to reauthenticate after 20 minutes more or less. Where can the timeout be increased, or how can the requirement to reauthenticate every X amount of time be removed?

Re: Avoid reauth in Captive portal

kiwi — Thu, 25 Jun 2026 10:11:02 GMT

Hi @BigPalo ,

You have the authentication portal timer at Device > User Identification > Authentication Portal Settings > Timer (This is the maximum TTL in minutes, which is the maximum time that any Authentication Portal session can remain mapped (range is 1 to 1,440; default is 60). After this duration elapses, PAN-OS removes the mapping and users must re-authenticate even if the session is active. This timer prevents stale mappings and overrides the Idle Timer value.)

Besides that you also have a timer in your IdP. Even if you set the firewall's captive portal hard timer to 8 hours, users will still experience a background redirect to the IdP periodically to refresh the SAML assertion. If your IdP session cookie expires quickly, the user will see a login prompt anyway. To prevent this, ensure your IdP has a long session validity (the way you configure this depends on your IdP).

Hope this helps,

Re: Avoid reauth in Captive portal

BigPalo — Thu, 25 Jun 2026 13:37:16 GMT

Its already configured like that. timeout 1440 redirect cookie

topic Avoid reauth in Captive portal in General Topics

Avoid reauth in Captive portal

Re: Avoid reauth in Captive portal

Re: Avoid reauth in Captive portal