GlobalProtect Azure/SAML MFA prompt everytime a user logs in

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GlobalProtect Azure/SAML MFA prompt everytime a user logs in

L1 Bithead

We have setup Globalprotect to connect to EntraID using SAML. Our goal is to have the user get prompted to enter in MFA everytime they connect to the GlobalProtect portal. How can I do this? 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @asiewert ,

 

I believe the default authentication cookie lifetime in Entra is 90 days.  I think these are the steps to change it for your PANW GP application in Entra.

 

  1. Enterprise Applications > open your GP app
  2. Protection > Conditional Access
  3. New Policy
  4. Access controls > Session
  5. Sign-in frequency > Periodic reauthentication

https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-session...

 

I would not set it to 0 as cookie authentication is actually used by Entra (not PANW) for the gateway.  That keeps users from being prompted for MFA by the portal and gateway.  If you want Entra to prompt them every time, 5 minutes should be good.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

Hi @asiewert ,

 

I believe the default authentication cookie lifetime in Entra is 90 days.  I think these are the steps to change it for your PANW GP application in Entra.

 

  1. Enterprise Applications > open your GP app
  2. Protection > Conditional Access
  3. New Policy
  4. Access controls > Session
  5. Sign-in frequency > Periodic reauthentication

https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-session...

 

I would not set it to 0 as cookie authentication is actually used by Entra (not PANW) for the gateway.  That keeps users from being prompted for MFA by the portal and gateway.  If you want Entra to prompt them every time, 5 minutes should be good.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

I think the session sign-in frequency is key! I believe this is working for us now. Have not tested it extensively, but every time a user logs into GlobalProtect, EntraID will prompt them for multifactor now.

 

asiewert_0-1716391076287.png

 

  • 1 accepted solution
  • 2678 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!