This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
OTP authentication with GlobalProtect
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- Re: OTP authentication with GlobalProtect
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Palo Alto Networks Approved
Community Expert Verified
OTP authentication with GlobalProtect
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-05-2023 11:29 PM
Hello all,
The customer has an inquiry about OTP authentication when logging in to the GP after booting the PC. When I log in again after disconnecting, I can log in without OTP authentication (session authentication is maintained), so is there any way to set up OTP authentication every time I disconnect?
The authentication method is Azure SAML authentication.
Thanks!
6 REPLIES 6
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-06-2023 11:38 AM
See my other post just made in the other SAML thread. There is apparently a way to force re-OTP of an existing token in Azure using a service authentication policy, but I haven't got that far yet.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-06-2023 04:16 PM
Hello @Adrian_Jensen
Does that mean that Azure SAML has a re-OTP force function, but does not support it, so the above phenomenon occurs?
Is this a phenomenon that only applies to Azure SAML? Because Okta SAML seems to be working normally.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-07-2023 07:43 AM
I have not used Okta, but I would guess that the token lifetimes are much shorter by default. Azure uses a token with a 90 day default lifetime, so it will be good for re-authorization until that is up:
In Azure there is a token attribute called "Multi-factor Refresh Token Max Age" that can apparently be changed to a much shorter timeframe, its default is either 180 days or "Until-revoked" depending on which MS document you look at, with a minimum lifetime of 10 minutes. From what little I understand of Azure, you can apply a security policy (called "Conditions Access" rules?) to specific Azure services/tenants which change the default lifetimes. So in Azure you would apply a policy to the GlobalProtect authentication service which would force re-OTP at a shorter interval. But... I know very little about Azure, hate dealing with Windows, I am leaving that to our MS guys to figure out all the details.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-07-2023 04:29 PM
@Adrian_Jensen
Thank you for providing your professional response.
I want to make one thing clear. Then, if I use Azure SAML, is it a normal act to log out and log in again, the system allows me to connect to GP without OTP authentication?
Related Content
- Virtual Adapter was not setup correctly due to a delay (WIN10) in GlobalProtect Discussions
- Server Monitoring of User-ID agent set-up shows Authentication failed /Connection refused error in General Topics
- Issue using MFA in GlobalProtect ) in GlobalProtect Discussions
- SAML Role Mapping in XSOAR in Cortex XSOAR Discussions
- GlobalProtect IPv6 findings in GlobalProtect Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks