Does Connect Before Logon feature work together with Azure SAML conditional access authentication

Does Connect Before Logon feature work together with Azure SAML conditional access authentication

9665
Created On 02/08/22 18:13 PM - Last Modified 04/15/25 23:23 PM


Question


Does "Connect Before Logon" feature work together with Azure SAML conditional access authentication?

Environment


  • GlobalProtect using Connect Before Logon connect
  • Saml Azure authentication through Microsoft Conditional Access

Answer


  1. Connect Before Logon feature cannot work together with Azure SAML conditional access authentication
  2. This is  because Primary Refresh Token (PTR) which includes the Device ID and the Session Key can only be retrieved when the AzureAD user signed in to the device. Therefore no Azure token can be generated at this stage and the SAML authentication with conditional access will fail. 

Additional Information


Microsoft Document
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oN9LCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language