05-16-2024 09:42 AM
We have setup Globalprotect to connect to EntraID using SAML. Our goal is to have the user get prompted to enter in MFA everytime they connect to the GlobalProtect portal. How can I do this?
05-16-2024 12:48 PM - edited 05-16-2024 03:50 PM
Hi @asiewert ,
I believe the default authentication cookie lifetime in Entra is 90 days. I think these are the steps to change it for your PANW GP application in Entra.
I would not set it to 0 as cookie authentication is actually used by Entra (not PANW) for the gateway. That keeps users from being prompted for MFA by the portal and gateway. If you want Entra to prompt them every time, 5 minutes should be good.
Thanks,
Tom
05-16-2024 12:48 PM - edited 05-16-2024 03:50 PM
Hi @asiewert ,
I believe the default authentication cookie lifetime in Entra is 90 days. I think these are the steps to change it for your PANW GP application in Entra.
I would not set it to 0 as cookie authentication is actually used by Entra (not PANW) for the gateway. That keeps users from being prompted for MFA by the portal and gateway. If you want Entra to prompt them every time, 5 minutes should be good.
Thanks,
Tom
05-22-2024 08:19 AM
I think the session sign-in frequency is key! I believe this is working for us now. Have not tested it extensively, but every time a user logs into GlobalProtect, EntraID will prompt them for multifactor now.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
