GlobalProtect portal and gateway authentication override cookie lifetime does not expire or last for set lifetime
15407
Created On 02/12/22 00:28 AM - Last Modified 06/12/23 21:41 PM
Symptom
- GlobalProtect Authentication Override cookie set for a 10 minute lifetime appears to still work after 10 minutes, and user gets connected without being prompted for credentials
Environment
- GlobalProtect App 5.2 or newer
- Portal and Gateway configured to use Authentication Override cookie
- PAN-OS 9.1 or newer
- Portal and Gateway are configured for SAML authentication
Cause
- This is due to the fact that the default SAML IDP session cookie, also known as a token, is used for SAML authentication before the GlobalProtect Authentication Override cookies is used.
- Every SAML IDP has its own default session cookie lifetime. For example, Okta is 8 hours. After the user is authenticated for the first time, the user will get connected without being prompted for credentials for the next 8 hours, even through the Authentication override cookie lifetime is configured for a 10 minute lifetime.
Resolution
Configure conditional access rules on IDP server side so that the user gets prompted every time they connect, or adjust the IDP session cookie lifetimes to the desired value.
Additional Information
- IDP cookie has nothing to do with the accepted cookie lifetime set on the Gateway.
- The SAML IDP session cookie does not extend the gateway accept cookie.
- The SAML IDP session cookie is used to avoid being prompted to reauthenticate against SAML/OKTA server. This lifetime is set on the IDP and is normally high if not modified.
Clarification:
The first time you authenticate against the portal/gateway you are prompted to feed username/password and whatever factor you have defined to be completed before OKTA states you are Accepted and Authenticated. After authenticating, the OKTA SAML server provides a response that will have an IDP session cookie. This cookie is used against SAML/OKTA, not the Portal/Gateway. When you attempt to connect back to Portal/Gateway the authentication to SAML/OKTA uses an IDP session cookie that is stored on the client's computer avoiding prompting for authentication.