11-10-2023 10:43 AM
Hi all,
We've setup SAML / SSO and all works OK , however, when GlobalProtect starts, it automatically connects without asking for any creds. I'm assuming this is a result of the machine being joined to the same domain so the password is not needed. However, I'd like to configure it so that at least an MFA prompt occurs.
Connecting on a non joined machine does exhibit this behavior.
11-12-2023 04:40 PM
Hi @SethEfrat ,
When SAML/SSO does not prompt for creds or MFA, it is almost always an authentication cookie. Check you IdP authentication cookie settings.
Thanks,
Tom
12-13-2023 05:40 AM - edited 12-13-2023 05:43 AM
This might be a known issue that is being addressed on PANOS 10.2.5 where addressed a situation where the firewall failed to appropriately initiate Single Log-out (SLO) towards the client, leading to the client's inability to trigger the SLO request towards the identity provider (IdP). Consequently, this led to the IdP not executing the SLO callback to the firewall for user removal.
Issue ID: PAN-213296
Can be found on PANOS 10.2.5 release notes:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
