OTP authentication with GlobalProtect

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

OTP authentication with GlobalProtect

L3 Networker

Hello all,

The customer has an inquiry about OTP authentication when logging in to the GP after booting the PC. When I log in again after disconnecting, I can log in without OTP authentication (session authentication is maintained), so is there any way to set up OTP authentication every time I disconnect? 

The authentication method is Azure SAML authentication.



L5 Sessionator

See my other post just made in the other SAML thread. There is apparently a way to force re-OTP of an existing token in Azure using a service authentication policy, but I haven't got that far yet.



L3 Networker

Hello @Adrian_Jensen 

Does that mean that Azure SAML has a re-OTP force function, but does not support it, so the above phenomenon occurs? 

Is this a phenomenon that only applies to Azure SAML? Because Okta SAML seems to be working normally.

L5 Sessionator

I have not used Okta, but I would guess that the token lifetimes are much shorter by default. Azure uses a token with a 90 day default lifetime, so it will be good for re-authorization until that is up:




In Azure there is a token attribute called "Multi-factor Refresh Token Max Age" that can apparently be changed to a much shorter timeframe, its default is either 180 days or "Until-revoked" depending on which MS document you look at, with a minimum lifetime of 10 minutes. From what little I understand of Azure, you can apply a security policy (called "Conditions Access" rules?) to specific Azure services/tenants which change the default lifetimes. So in Azure you would apply a policy to the GlobalProtect authentication service which would force re-OTP at a shorter interval. But... I know very little about Azure, hate dealing with Windows, I am leaving that to our MS guys to figure out all the details.  




Thank you for providing your professional response.

I want to make one thing clear. Then, if I use Azure SAML, is it a normal act to log out and log in again, the system allows me to connect to GP without OTP authentication?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!