This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GlobalProtect Azure/SAML MFA prompt everytime a user logs in

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect Azure/SAML MFA prompt everytime a user logs in

Go to solution
asiewert
L1 Bithead

‎05-16-2024 09:42 AM

We have setup Globalprotect to connect to EntraID using SAML. Our goal is to have the user get prompted to enter in MFA everytime they connect to the GlobalProtect portal. How can I do this? 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎05-16-2024 12:48 PM - edited ‎05-16-2024 03:50 PM

Hi @asiewert ,

 

I believe the default authentication cookie lifetime in Entra is 90 days.  I think these are the steps to change it for your PANW GP application in Entra.

 

  1. Enterprise Applications > open your GP app
  2. Protection > Conditional Access
  3. New Policy
  4. Access controls > Session
  5. Sign-in frequency > Periodic reauthentication

https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-session...

 

I would not set it to 0 as cookie authentication is actually used by Entra (not PANW) for the gateway.  That keeps users from being prompted for MFA by the portal and gateway.  If you want Entra to prompt them every time, 5 minutes should be good.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

2 REPLIES 2

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎05-16-2024 12:48 PM - edited ‎05-16-2024 03:50 PM

Hi @asiewert ,

 

I believe the default authentication cookie lifetime in Entra is 90 days.  I think these are the steps to change it for your PANW GP application in Entra.

 

  1. Enterprise Applications > open your GP app
  2. Protection > Conditional Access
  3. New Policy
  4. Access controls > Session
  5. Sign-in frequency > Periodic reauthentication

https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-session...

 

I would not set it to 0 as cookie authentication is actually used by Entra (not PANW) for the gateway.  That keeps users from being prompted for MFA by the portal and gateway.  If you want Entra to prompt them every time, 5 minutes should be good.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Go to solution
asiewert
L1 Bithead
In response to TomYoung

‎05-22-2024 08:19 AM

I think the session sign-in frequency is key! I believe this is working for us now. Have not tested it extensively, but every time a user logs into GlobalProtect, EntraID will prompt them for multifactor now.

 

asiewert_0-1716391076287.png

 

  • 1 accepted solution
  • 2677 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks