SOLVED

Senstive SAML Apps such as Palo Alto GCPS uses SAML for Auth, but MFA bypassed with remember me UI

%3CLINGO-SUB%20id%3D%22lingo-sub-1147305%22%20slang%3D%22en-US%22%3ESenstive%20SAML%20Apps%20such%20as%20Palo%20Alto%20GCPS%20uses%20SAML%20for%20Auth%2C%20but%20MFA%20bypassed%20with%20remember%20me%20UI%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1147305%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BWe%20are%20looking%20to%20make%20Palo%20alto%20GCPS%20client%20work%20through%20SAML%2C%20integration%20is%20successful%20but%20when%20it%20comes%20to%20Authentication%20with%20MFA.%20MFA%20is%20bypassed%20with%20remember%20me.%20Since%20this%20is%20an%20App%20which%20gives%20VPN%20access%20and%20to%20comply%20with%20various%20Standards%20such%20as%20PCI.%20User%20based%20MFA%20behavior%20is%20expected%20in%20these%20Cases%20for%20those%20apps.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EScenarios%20we%20have%20tried%20are%20below%2C%20but%20MFA%20is%20bypassed%20in%20all%20cases.%3C%2FP%3E%3CP%3E1%2C%20Conditional%20Access%20with%20session%20control%20set%20to%201%20hour.%3C%2FP%3E%3CP%3E2%2C%20Persistent%20browser%20session%20option%20with%20all%20cloud%20apps%20enabled.%3C%2FP%3E%3CP%3E3%2C%20Create%20new%20custom%20auth%20policy%20(policy%20%3D%20New-AzureADPolicy%20-Definition%20%40('%7B%22TokenLifetimePolicy%22%3A%7B%22Version%22%3A1%2C%22AccessTokenLifetime%22%3A%2200%3A30%3A00%22%2C%22MaxAgeSessionSingleFactor%22%3A%2200%3A30%3A00%22%2C%22MaxAgeSessionMultiFactor%22%3A%2200%3A30%3A00%22%7D%7D')%20-DisplayName%20%22PaloAlto-GCPS%22%20-IsOrganizationDefault%20%24false%20-Type%20%22TokenLifetimePolicy%22%3C%2FP%3E%3CP%3Ewith%20the%20Custom%20auth%20policy%20it%20atleast%20prompts%20for%20password%20but%20still%20bypasses%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20make%20MFA%20prompt%20for%20a%20particular%20app%2C%20especially%20when%20all%20are%20becoming%20SAAS%20including%20firewall%20in%20this%20case%20we%20are%20kind%20of%20stuck%20not%20to%20use%20SAML%20and%20alternate%20path%20is%20radius%20with%20third%20party%20MFA%20to%20achieve%20user%20based%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20sure%20i%20am%20not%20the%20only%20client%20with%20this%20problem%2C%20lot%20of%20clients%20would%20have%20reported%20i%20have%20an%20open%20case%20with%20support%20for%20more%20than%202%20months%20to%20find%20a%20path.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKindly%20share%20your%20thoughts%20and%20feedback%2C%20sorry%20for%20lengthy%20description%20and%20this%20is%20my%20first%20post%20bare%20with%20me.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1147305%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1147954%22%20slang%3D%22en-US%22%3ERe%3A%20Senstive%20SAML%20Apps%20such%20as%20Palo%20Alto%20GCPS%20uses%20SAML%20for%20Auth%2C%20but%20MFA%20bypassed%20with%20remember%20me%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1147954%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F513578%22%20target%3D%22_blank%22%3E%40Rajkumar_Manibharathy%3C%2FA%3E%26nbsp%3Bare%20you%20doing%20this%20from%20a%20Windows%2010%20machine%20that%20is%20hybrid%20joined%3F%20Does%20this%20use%20a%20browser%20such%20as%20Edge%20for%20presenting%20the%20login%3F%20Windows%20Hello%20becomes%20the%20secondary%20factor%20from%20memory%20when%20using%20MFA.%20If%20you%20use%20an%20incognito%20browser%20you%20should%20get%20prompted%20for%20MFA%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1151434%22%20slang%3D%22en-US%22%3ERe%3A%20Senstive%20SAML%20Apps%20such%20as%20Palo%20Alto%20GCPS%20uses%20SAML%20for%20Auth%2C%20but%20MFA%20bypassed%20with%20remember%20me%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1151434%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F213341%22%20target%3D%22_blank%22%3E%40Mark%20Lewis%3C%2FA%3E%26nbsp%3B%20Yes%20i%20am%20testing%20in%20Windows%2010%20and%20Mac%20Hybrid%20Azure%20and%20Azure%20AD%20Joined.%26nbsp%3B%3C%2FP%3E%3CP%3EBased%20on%20default%20browser%20we%20select%2C%20it%20present%20Chrome%2C%20IE%20or%20Edge.%20Thanks%20Let%20me%20try%26nbsp%3B%3CSPAN%3Eincognito.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EFor%20chrome%20i%20see%20there%20are%20lot%20of%20extension%20to%20make%20some%20websites%20default%20incognito%2C%20but%20in%20IE%20and%20Edge%20i%20do%20not%20see%20it%20like%20that%20any%20idea%20on%20that%20please%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1151846%22%20slang%3D%22en-US%22%3ERe%3A%20Senstive%20SAML%20Apps%20such%20as%20Palo%20Alto%20GCPS%20uses%20SAML%20for%20Auth%2C%20but%20MFA%20bypassed%20with%20remember%20me%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1151846%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F513578%22%20target%3D%22_blank%22%3E%40Rajkumar_Manibharathy%3C%2FA%3Edo%20you%20get%20prompted%20for%20MFA%20on%20the%20Mac%20OS%20device%3F%20Not%20sure%20how%20to%20force%20incognito%2Fin-private%20off%20the%20top%20of%20my%20head%20for%20certain%20sites%20on%20Edge%2FIE%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1156075%22%20slang%3D%22en-US%22%3ERe%3A%20Senstive%20SAML%20Apps%20such%20as%20Palo%20Alto%20GCPS%20uses%20SAML%20for%20Auth%2C%20but%20MFA%20bypassed%20with%20remember%20me%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1156075%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F213341%22%20target%3D%22_blank%22%3E%40Mark%20Lewis%3C%2FA%3E%26nbsp%3B%20yes%20strangely%20it%20works%20in%20MAC.%20I%20tried%20to%20even%20push%20IE%20in%20private%20mode%20always%20through%20properties.%20Still%20it%20bypasses%20MFA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1156082%22%20slang%3D%22en-US%22%3ERe%3A%20Senstive%20SAML%20Apps%20such%20as%20Palo%20Alto%20GCPS%20uses%20SAML%20for%20Auth%2C%20but%20MFA%20bypassed%20with%20remember%20me%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1156082%22%20slang%3D%22en-US%22%3E%3CP%3EAnd%20does%20it%20work%20(prompt%20for%20MFA)%20on%20a%20non%20domain%20or%20hybrid%20joined%20machine%3F%20Personal%20laptop%20for%20example%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20use%20Windows%20Hello%20for%20Business%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20suspect%20that%20the%20machine%20itself%20is%20being%20used%20as%20the%20second%20factor%2C%20rather%20than%20prompting%20on%20the%20app%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1156201%22%20slang%3D%22en-US%22%3ERe%3A%20Senstive%20SAML%20Apps%20such%20as%20Palo%20Alto%20GCPS%20uses%20SAML%20for%20Auth%2C%20but%20MFA%20bypassed%20with%20remember%20me%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1156201%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F213341%22%20target%3D%22_blank%22%3E%40Mark%20Lewis%3C%2FA%3E%26nbsp%3B%20we%20do%20not%20use%20Helo%20for%20business%2C%26nbsp%3B%20device%20with%20corporate%20image%20both%20mac%20and%20windows%20it%20bypasses%20MFA%20when%20remember%20me%20is%20checked.%20Only%20not%20domain%20joined%20device%20it%20prompts%20for%20MFA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1157125%22%20slang%3D%22en-US%22%3ERe%3A%20Senstive%20SAML%20Apps%20such%20as%20Palo%20Alto%20GCPS%20uses%20SAML%20for%20Auth%2C%20but%20MFA%20bypassed%20with%20remember%20me%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1157125%22%20slang%3D%22en-US%22%3E%3CP%3EUpdates%20!!!%2C%20Finally%20it%20worked%20with%20one%20more%20change%20to%20Azure%20AD%20policy.%3C%2FP%3E%3CP%3EBut%20this%20option%20is%20in%20preview%20mode%20i%20believe%2C%20so%20i%20am%20worried%20about%20getting%20in%20to%20prod%20with%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%7B%7B%22TokenLifetimePolicy%22%3A%7B%22Version%22%3A1%2C%22AccessTokenLifetime%22%3A%2200%3A30%3A00%22%2C%22MaxAgeSessionSingleFactor%22%3A%2200%3A30%3A00%22%2C%22MaxAgeSessionMultiFactor%22%3A%2200%3A30%3A00%22%2C%22MaxAgeMultiFactor%22%3A%2200%3A30%3A00%22%7D%7D%7D%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi All,

     We are looking to make Palo alto GCPS client work through SAML, integration is successful but when it comes to Authentication with MFA. MFA is bypassed with remember me. Since this is an App which gives VPN access and to comply with various Standards such as PCI. User based MFA behavior is expected in these Cases for those apps.

 

Scenarios we have tried are below, but MFA is bypassed in all cases.

1, Conditional Access with session control set to 1 hour.

2, Persistent browser session option with all cloud apps enabled.

3, Create new custom auth policy (policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"00:30:00","MaxAgeSessionSingleFactor":"00:30:00","MaxAgeSessionMultiFactor":"00:30:00"}}') -DisplayName "PaloAlto-GCPS" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"

with the Custom auth policy it atleast prompts for password but still bypasses MFA.

 

Is there a way to make MFA prompt for a particular app, especially when all are becoming SAAS including firewall in this case we are kind of stuck not to use SAML and alternate path is radius with third party MFA to achieve user based MFA.

 

I am sure i am not the only client with this problem, lot of clients would have reported i have an open case with support for more than 2 months to find a path.

 

Kindly share your thoughts and feedback, sorry for lengthy description and this is my first post bare with me.

7 Replies
Highlighted

@Rajkumar_Manibharathy are you doing this from a Windows 10 machine that is hybrid joined? Does this use a browser such as Edge for presenting the login? Windows Hello becomes the secondary factor from memory when using MFA. If you use an incognito browser you should get prompted for MFA

Highlighted

@Mark Lewis  Yes i am testing in Windows 10 and Mac Hybrid Azure and Azure AD Joined. 

Based on default browser we select, it present Chrome, IE or Edge. Thanks Let me try incognito.

For chrome i see there are lot of extension to make some websites default incognito, but in IE and Edge i do not see it like that any idea on that please ?

@Rajkumar_Manibharathydo you get prompted for MFA on the Mac OS device? Not sure how to force incognito/in-private off the top of my head for certain sites on Edge/IE

Highlighted

@Mark Lewis  yes strangely it works in MAC. I tried to even push IE in private mode always through properties. Still it bypasses MFA.

Highlighted

And does it work (prompt for MFA) on a non domain or hybrid joined machine? Personal laptop for example

 

Do you use Windows Hello for Business?

 

I suspect that the machine itself is being used as the second factor, rather than prompting on the app

Highlighted

@Mark Lewis  we do not use Helo for business,  device with corporate image both mac and windows it bypasses MFA when remember me is checked. Only not domain joined device it prompts for MFA.

Highlighted
Best Response confirmed by Rajkumar_Manibharathy (Occasional Contributor)
Solution

Updates !!!, Finally it worked with one more change to Azure AD policy.

But this option is in preview mode i believe, so i am worried about getting in to prod with this.

 

{{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"00:30:00","MaxAgeSessionSingleFactor":"00:30:00","MaxAgeSessionMultiFactor":"00:30:00","MaxAgeMultiFactor":"00:30:00"}}}