As per TAC this is by design but i asked him to confirm with Engineering also.

Hi @MP18 

I don't really get it. Why isn't this possible exactly? With SAML you get single sign on, but as you have another loginfactor the push notification should be sent - so why not in your configuration? Don't give up too easily with answers from TAC

If there really isn't a way without a feature request where you have to wait, what about using RADIUS MFA connectior for your always-on clients? Does it maybe work this way with SSO and push notifications?

We have Global protect PRe log on  Always on for pilot testing.

We have SAML configured where we get the push notifications on mobile for authentication.

We are using Azure SAML.

When user put the domain password during log on then GP client connects automatically they do not get mobile push notifications.

Opened ticket with TAC almost 2 weeks ago and today he confirmed that this is expected behaviour.

We can not force push mobile notifications while using pre log on always on connection method.

Also as our current setup we only want to use SAML using Azure.

You are using the newest GP version? Or at least something above 5.0.2?

(I am asking as I intended to do a similar setup ... but this now does not sound very good ...)

I am using GP client 5.0.4.16

But the push notification is sent by your SAML IdP or the attached MFA service right? And GP officially supports "Pre-logon followed by SAML". So when viewing from the other side: why is this an issue of GP as the IdP is sending or at least triggering the push notification?

We do not have MFA configured.

As per PA while using Global protect External  and using SAML you can not have MFA.

I could not find answer for this checked with PA and also with our SE.

Only option is to use on demand connection method.

As per PA we can submit the feature request to them.