Who Me Too'd this topic

Is it possible to configure Global Protect VPN connection such that....

1. Pre-logon connects user during login
2. After login, they get prompted to Okta login to proceed to user session (vs pre-logon session)
3. Okta SSO works so they do not need to re-enter their AD credentials - this requires the pre-login tunnel to stay up while authenticating user
4. Push auth w/ Okta for MFA

...or maybe this way....

1. User logs into laptop with cache credentials
2. User initiates VPN connection
3. VPN authentication staged in such a way that it allows connection to the SSO server internally, so that Okta can SSO the user, then initiate a push before sending SAML auth and establishing full tunnel?

The goal I am trying to accomplish is really one basic thing: if the user logs into their laptop I want that to be FIRST FACTOR and for them to not be asked for it again (SSO).  But I want to secure full VPN tunnel w/ a second factor, and I want "push" or "enter code" from Okta mobile app to be that.  Problem is, Okta has not authenticated the remote user and SSO only works if the Okta SSO/IWA server is accessible to the host (and that server is in back office, and it's not secure to expose it to WAN)....so I am kind of in a pickle here (quite an annoying one if you ask me).  Once VPN is up - SSO works great!  Go figure.

I hope I am making sense!