06-25-2026 02:35 AM
Hi,
I have captive portal for auth users with SAML. Users are being prompted to reauthenticate after 20 minutes more or less. Where can the timeout be increased, or how can the requirement to reauthenticate every X amount of time be removed?
06-25-2026 03:11 AM
Hi @BigPalo ,
You have the authentication portal timer at Device > User Identification > Authentication Portal Settings > Timer (This is the maximum TTL in minutes, which is the maximum time that any Authentication Portal session can remain mapped (range is 1 to 1,440; default is 60). After this duration elapses, PAN-OS removes the mapping and users must re-authenticate even if the session is active. This timer prevents stale mappings and overrides the Idle Timer value.)
Besides that you also have a timer in your IdP. Even if you set the firewall's captive portal hard timer to 8 hours, users will still experience a background redirect to the IdP periodically to refresh the SAML assertion. If your IdP session cookie expires quickly, the user will see a login prompt anyway. To prevent this, ensure your IdP has a long session validity (the way you configure this depends on your IdP).
Hope this helps,
06-25-2026 06:35 AM - edited 06-25-2026 06:37 AM
Its already configured like that. timeout 1440 redirect cookie
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
