Entra SAML Automatically Authenticating Users Without Prompting
Objective
A network user authenticates to a SAML protected resources by sending the request from a web browser logon page to a SAML idP server. After the SAML idP server authenticates the user, it replies by sending the web browser a "Refresh Token Lifetime". The web browser will store the token until it expires. Whenever the network user request a new GlobalProtect session, it will first check to see if it has an active token. If a valid token is available, the web browser will send it to the resource instead of requesting the username/password combination. The tokens are usually set for a default of 14 days.
Environment
GlobalProtect Client
Entra SAML Authentication
Procedure
The authentication occurs between the logon webpage of the web browser and the Azure idP server, so there is nothing that GlobalProtect can do to change the authentication behavior. This is being controlled on the SAML server's backend.
The Refresh Token Lifetimes setting is for Microsoft Entra ID issues. Authentication session management with Conditional Access Policy replaces this default policy. It is a best practice to replace the default Refresh Token Lifetimes with the Conditional Access Policies and set the timeout in the Sign-In Frequency to about an hour.
Additional Information
PALOALTO REFERENCES:
https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-saml-auth/m-p/530014
https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/globalprotect-with-saml-to-azure-ad-selecting-account-when/m-p/428428
https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-client-fails-to-connect-to-gateway-when-set-to/m-p/518803
https://live.paloaltonetworks.com/t5/general-topics/otp-authentication-with-globalprotect/m-p/530137#M109407
https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-session-lifetime