Globalprotect SAML Auth with Azure and MFA not prompting for MFA after reconnect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Globalprotect SAML Auth with Azure and MFA not prompting for MFA after reconnect

L3 Networker

Hi All,

There are a few topics on this.. I read most of them still unable to resolve this..

we have panorama with managed FWs (10.2.6) and GP portal and GW setup pointing to SAML profile that integrates into Azure and Azure IdP for MFA

 

at first logon, i was prompted for MFA and connected successfully.

log off, log back in again and does not prompt for MFA anymore.

i have 'single sign out' enabled on my saml auth profile.

in my gateway > agents > connection settings I have 'authentication cookie usage restrictions' disabled.

I deleted default browser cookies, deleted all gp cookies i can find on my local system.

 

however, when I reconnect it connects without asking for MFA.

any other settings i might need to look at on PA perhaps? or where this specific cookie is kept that is telling MFA i am still valid?

 

could this being a setting on Azure in the GP enterprise application? ie conditional access policy etc?

 

 

edit:  ok looks like it is by design using PRT (primary refresh tokens) - we are MFA'd, but just not realizing it perhaps 🙂

found a good article on this below

 

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/why-are-my-users-not-prompte...

 

.

 

any ideas?

thanks

 

5 REPLIES 5

Cyber Elite
Cyber Elite

changing conditional access in Azure to require MFA with every authentication should fix the issue (make sure you're not using authentication cookies on the gateway)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L3 Networker

Hi Reaper,

thanks for that.. we did the following with the following results..

note. auth cookies are disabled on the FWs

 

created a conditional policy for palo alto globalprotect and set the 'Session sign-in frequency' to 1 hour to do MFA

logged in to gp app and was prompted for MFA.. great. disconnected and reconnected (no MFA second time round) so will wait an hour and see if this prompts for MFA again. hope it does.

 

however i fear this might only be for BYOD / third parties and not applicable to Azure AD joined devices ie company laptops.. will test this still later today with client device.

 

2 more things and might post new discussions on them..

sometimes i get a 'can't reach this page' error for https://login.microsftonline.com when connecting to gp vpn - then close it, reconnect and it works.. might be bug or something. happens intermittently it seems.

the other thing. i suspect because i have saml auth profile applied to both portal and gateway, i get prompted to select my azure account twice. will investigate on this still.

 

anyways.. will keep this post updated with findings.

thanks

 

on the 2x authentication: this can be an expected behavior as you're also authenticating twice (portal and gw are different entities)

this can be bridged by setting the portal to accept cookies for example, so that you can always use cookies to auth against the portal to retrieve configuration etc, but need to auth against the gateways

the reverse is also possible

 

for the microsoftonline url, you could try creating split tunnel config to ensure authentication always happens outside of the tunnel regardless of what your connection state is

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L3 Networker

thanks..

so i have configured the portal to generate cookies and for the gateway to accept cookies.. this seems to work and resolve the dual auth issue.

randomly still getting the 'can't find this page' error upon first connection.. when you close it and reconnect, it then goes through as expected. it's also intermittent, sometimes goes in first time round.. other times get the error, close the window, reconnect then it works.

will log a tac also as not finding many docs on this issue on pan site atm.

 

edit: in portal/agent/name/app - ipv6 preferred was set to yes.. changed to no.

also changed 'use default browser for saml authentication' from no to yes

seems to be working sofar.. will get users to test and confirm it finally resolved.

 

Hello

What connectivity mode were you using : Always or Pre-Logon

was 'single sign out' enabled on saml auth profile still required after modifing the Session Sign-in Frequency on the contitional access a requirements to continue prompting for MFA?

 

 

  • 4736 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!