I'm testing using Azure SAML authenticaon for VPN access. Mainly because of MFA and Conditional Access polcies.
When a user wants to extend their session, they get a pop up to say they already have an existing session and need to click connect. Can I stop that happening?
When they extend their session, is there a way to set it up so they don't need to reauthenticate?
You can turn off the notification sent to the users when there's an existing session, disable the user notification under Authentication >> >> signing-in >> sign-in policies >> Display open user session[s] warning notification.
If I recall correctly, 9.1R9 server version should resolve this issue (not released yet) i.e. pre-9.1R9 servers are trying to create a new session instead of extending the session. Hope this helps.
do you know if this should have been resolved already?
I have tested it and saw the same behavior on v9.1R10.
If I disable the user session warning, I still experience the behavior that a new session is created and session related applications are disconnected, due to the process of reconnecting.
Basically the user session warning popup would not be the problem, as there is the option to keep the old session, but if I do so, the session still gets disconnected on the Pulse Connect Secure.
Thank you for your answer.
No, when using Active Directory for example I do not get the warning that there is already an existing session for that user. This works as expected. Of course, the user needs to reauthenticate against Active Directory as well when extending the session, but as you have mentioned the tunnel does not get dropped.
The re-authentication in general is ok when extending the session. When using SAML Authentication the user needs to reauthenticate as well. All good so far. However, after successfully authenticating, the Pulse Secure somehow cannot match the existing session, which leads to the mentioned warning message.
The issue is caused by the User-Agent, and how the SAML auth is handled.
When you use SAML, the authentication is done through browser and after that the session cookie is transferred to the PDC.
During the first authentication you will see:
Login succeeded for "user/realm" from <ip-addr> with Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko.
Agent login succeeded for "user/realm" (session:xxxxxxx) from <ip-addr> with Pulse-Secure/9.x.x.xxx (Windows 10) Pulse/9.x.x.xxxx.
That's not causing any warning, but when you have to extend the session, as you said you have to authenticate again while still having an active session.
When you perform the re-authentication for extend the session, the PCS already has an active session with a different User-Agent, hence the warning.
When using the AD you don't see any warning because the User-Agent is only one.
I don't see any solution for this issue.
Well.. a sort of solution could be enable more than 1 user session at realm level...
Thanks @rdumitrescu , that makes sense.
I really wish there was a suggestion box feature here, or through mypulse, as this would be a feature I'd love to get working.
@myPulseSec Please open a support ticket as extending the session should not cause any issues, since the tunnel will be intact throughout the process. There's a known issue with session extension with pre-9.1R9 with custom-sign-in page used i.e. using embedded browser which should be resolved in 9.1R9 version and above.