- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-06-2024 03:45 AM - edited 02-06-2024 04:46 AM
Hi All,
There are a few topics on this.. I read most of them still unable to resolve this..
we have panorama with managed FWs (10.2.6) and GP portal and GW setup pointing to SAML profile that integrates into Azure and Azure IdP for MFA
at first logon, i was prompted for MFA and connected successfully.
log off, log back in again and does not prompt for MFA anymore.
i have 'single sign out' enabled on my saml auth profile.
in my gateway > agents > connection settings I have 'authentication cookie usage restrictions' disabled.
I deleted default browser cookies, deleted all gp cookies i can find on my local system.
however, when I reconnect it connects without asking for MFA.
any other settings i might need to look at on PA perhaps? or where this specific cookie is kept that is telling MFA i am still valid?
could this being a setting on Azure in the GP enterprise application? ie conditional access policy etc?
edit: ok looks like it is by design using PRT (primary refresh tokens) - we are MFA'd, but just not realizing it perhaps 🙂
found a good article on this below
.
any ideas?
thanks
02-06-2024 04:40 AM - edited 02-06-2024 04:40 AM
changing conditional access in Azure to require MFA with every authentication should fix the issue (make sure you're not using authentication cookies on the gateway)
02-07-2024 02:22 AM
Hi Reaper,
thanks for that.. we did the following with the following results..
note. auth cookies are disabled on the FWs
created a conditional policy for palo alto globalprotect and set the 'Session sign-in frequency' to 1 hour to do MFA
logged in to gp app and was prompted for MFA.. great. disconnected and reconnected (no MFA second time round) so will wait an hour and see if this prompts for MFA again. hope it does.
however i fear this might only be for BYOD / third parties and not applicable to Azure AD joined devices ie company laptops.. will test this still later today with client device.
2 more things and might post new discussions on them..
sometimes i get a 'can't reach this page' error for https://login.microsftonline.com when connecting to gp vpn - then close it, reconnect and it works.. might be bug or something. happens intermittently it seems.
the other thing. i suspect because i have saml auth profile applied to both portal and gateway, i get prompted to select my azure account twice. will investigate on this still.
anyways.. will keep this post updated with findings.
thanks
02-07-2024 03:18 AM
on the 2x authentication: this can be an expected behavior as you're also authenticating twice (portal and gw are different entities)
this can be bridged by setting the portal to accept cookies for example, so that you can always use cookies to auth against the portal to retrieve configuration etc, but need to auth against the gateways
the reverse is also possible
for the microsoftonline url, you could try creating split tunnel config to ensure authentication always happens outside of the tunnel regardless of what your connection state is
02-08-2024 11:25 PM - edited 02-09-2024 12:42 AM
thanks..
so i have configured the portal to generate cookies and for the gateway to accept cookies.. this seems to work and resolve the dual auth issue.
randomly still getting the 'can't find this page' error upon first connection.. when you close it and reconnect, it then goes through as expected. it's also intermittent, sometimes goes in first time round.. other times get the error, close the window, reconnect then it works.
will log a tac also as not finding many docs on this issue on pan site atm.
edit: in portal/agent/name/app - ipv6 preferred was set to yes.. changed to no.
also changed 'use default browser for saml authentication' from no to yes
seems to be working sofar.. will get users to test and confirm it finally resolved.
07-05-2024 01:01 PM
Hello
What connectivity mode were you using : Always or Pre-Logon
was 'single sign out' enabled on saml auth profile still required after modifing the Session Sign-in Frequency on the contitional access a requirements to continue prompting for MFA?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!