We currently have GlobalProtect deployed utilizing a combination of certificates (for pre-login) and SSO + SAML (to Azure AD) for user authentication. The SAML portion redirects the users to the Microsoft MFA portal for 6 digit authentication when they log in. This is working without pretty much flawlessly.
The issue comes into play when a user stays logged into their machine (interactive login) and their authentication expires and prompts the user to re-authenticate via the Microsoft MFA portal and are not at their machine to do so, therefore it times out and the host is no longer authenticated and no longer reachable on the network. Short of forcing machines to log off at night (which would switch the tunnel back to pre-login mode) or using the OS (Windows Welcome) to handle the MFA portion, does anyone know of a workaround to this? Ultimately this is causing us problems on weekends when we want to patch and a user simply doesn't log off.
Thanks in advance for any input you may have.
We have Prelogon/SAML authentication but use the cookie for prelogon authentication.
First we wanted to have your setup too but it seemed more simple and adequate to have the cookie.
Following the topic though.
A hotfix for 5.2.5 has been released with a lot of fixes btw: Addressed Issues in GlobalProtect App 5.2 (paloaltonetworks.com)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!