02-05-2023 11:29 PM
The customer has an inquiry about OTP authentication when logging in to the GP after booting the PC. When I log in again after disconnecting, I can log in without OTP authentication (session authentication is maintained), so is there any way to set up OTP authentication every time I disconnect? The authentication method is Azure SAML authentication.
02-06-2023 11:38 AM
See my other post just made in the other SAML thread. There is apparently a way to force re-OTP of an existing token in Azure using a service authentication policy, but I haven't got that far yet.
02-06-2023 04:16 PM
Does that mean that Azure SAML has a re-OTP force function, but does not support it, so the above phenomenon occurs? Is this a phenomenon that only applies to Azure SAML? Because Okta SAML seems to be working normally.
02-07-2023 07:43 AM
I have not used Okta, but I would guess that the token lifetimes are much shorter by default. Azure uses a token with a 90 day default lifetime, so it will be good for re-authorization until that is up:
In Azure there is a token attribute called "Multi-factor Refresh Token Max Age" that can apparently be changed to a much shorter timeframe, its default is either 180 days or "Until-revoked" depending on which MS document you look at, with a minimum lifetime of 10 minutes. From what little I understand of Azure, you can apply a security policy (called "Conditions Access" rules?) to specific Azure services/tenants which change the default lifetimes. So in Azure you would apply a policy to the GlobalProtect authentication service which would force re-OTP at a shorter interval. But... I know very little about Azure, hate dealing with Windows, I am leaving that to our MS guys to figure out all the details.
02-07-2023 04:29 PM
Thank you for providing your professional response.
I want to make one thing clear. Then, if I use Azure SAML, is it a normal act to log out and log in again, the system allows me to connect to GP without OTP authentication?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!