GlobalProtect with SAML to Azure AD - selecting account when activating GP

cancel
Showing results for 
Search instead for 
Did you mean: 

GlobalProtect with SAML to Azure AD - selecting account when activating GP

L0 Member

Hello Community,

 

we´ve configured GP to authenticate via SAML to our Azure AD service so that we can use MFA on GP.

GP is only used by IT employees with their "admin" accounts.

So far, it seems to work fine how its configured.

 

The only problem we are facing is, that some users are not asked which Microsoft account they want to use in GP when they activate GP.

We dont want the "normal" corporate accounts to get used for GP, but on some machines, GP automatically selects their normal accounts when connecting the client and the normal accounts dont have permissions to connect to GP.

Is there a way to "force" a account selection when connection to GP or when authenticating to Azure via SAML? What could be the reason why some machines are automatically selecting an account and others are asking which account should be used for GP? Any Azure cookie or token lifetime?

 

Thanks in advance

3 REPLIES 3

L1 Bithead

Any one managed to solve this issue? In essence the GP client seems to just leverage the default PC login credentials for the authentication. In this instance we do not want to use login credentials but the credentials from a different organisation. 

I can only assume this is some sort of setting on the PC itself as other "non-domain" domain joined PCs are prompted to choose which account to utilise. I have tried logging out of the account on my browsers and have also tried deploying registry keys to prevent SSO logins. Nothing works and we continue to receive login errors due to the wrong user credentials been automatically submitted.

 

L0 Member

Hi Steve,

in meantime I solved this issue for us.

The root cause why our users weren't asked for credentials was the lifetime of the Azure token lifetime, which is very long in my opinion. (If I remember right, it's about 90 days or so)

With an active token the user isn't asked for new credentials and then it's possible, that a wrong account is selected by the application. This is especially a problem, when the application should be used with another account than the "normal" user account which is used for logging into their client or their standard enterprise applications.

Microsoft don't want the user to get asked for credentials every hour, day, etc. because this could be uncomfortable for a normal user to work with.

There is no chance to modify this token lifetime in Azure so I did a workaround. I created a "Conditional Access Policy" on Azure in my GP application which set's the sign-in frequency to 1 hour. So when a user is logged in to GP and he's disconnected within the first hour, he won't be asked for his credentials and he can re-login. But after 1 hour he is asked for credentials, again.

This work's fine for us till now and our users are automatically asked for new credentials or their account every morning when they start to work because the night over they were disconneced and the single hour their sign-in frequency is valid has expired till then.

 

You can find a lot of articles how to set up these conditional access policies for sign-in frequency on the internet.

L1 Bithead

Finally solved this. Basically needed to add the account under the Windows > Settings > Email and Accounts > Add a work or school account. 

 

 After that we get a window that pops up and asks which account to sign in with. I have had a couple of corner cases where some PCs insist on using the user configured default browser which then signs them in with the "other" SAML creds. I think this issue is because of another GP Client configuration that allows for the default browser to be utilised even though this profile does not allow it. 

 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!