Why sometime we see the Microsoft SSO Login page requesting password ?
Most of the time, this is seemless and transparent to user, and we do not have to enter username/password which show me that SSO is working great. However, like I said, sometime, we got the Microsoft SSO Login page requesting password.
I'm just wondering which cause the Microsoft Login page to request entering password during logon.
PanOS supports SP initiated authentication for SAML, so when the user authenticates to the idP, the client will hold an SSO cookie, to authenticate all subsequent connections, hence SSO will work. But if the Cookie expires from the idP side and/or login lifetime has expired on the firewall, then the user will be initiated to authenticate again.
You can extend the login time from your idP side, as well as the firewall Login Lifetime on the gateway side. If both of these are extended, then the user should be able to authenticate for a longer period of time, but they will still be prompted to authenticate once the SSO session expires. Currently, the GP client uses an embedded browser like IE for windows, and it can't use the SSO session from let's say Chrome browser, where the user might have already authenticated to the idp.
Starting GP client 5.2, you will have the option to set a default browser for the user i.e. Chrome and it should allow GP client to use SSO session if the user has already authenticated to the idp.
Let me know if that helps!
Thanks and stay safe
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!