cancel
Showing results for 
Search instead for 
Did you mean: 

Azure SAML Authentication

DaveG
Contributor

Azure SAML Authentication

Hi all,

 

I'm testing using Azure SAML authenticaon for VPN access. Mainly because of MFA and Conditional Access polcies.

 

When a user wants to extend their session, they get a pop up to say they already have an existing session and need to click connect. Can I stop that happening?

 

When they extend their session, is there a way to set it up so they don't need to reauthenticate? 

 

 

7 REPLIES 7
r@yElr3y
Moderator

Re: Azure SAML Authentication

You can turn off the notification sent to the users when there's an existing session, disable the user notification under Authentication >> >> signing-in >> sign-in policies >> Display open user session[s] warning notification.

 

If I recall correctly, 9.1R9 server version should resolve this issue (not released yet) i.e. pre-9.1R9 servers are trying to create a new session instead of extending the session. Hope this helps.

PCS Expert
Pulse Connect Secure Certified Expert
myPulseSec
New Contributor

Re: Azure SAML Authentication

Hey r@yElr3y, 

 

do you know if this should have been resolved already?

I have tested it and saw the same behavior on v9.1R10. 

If I disable the user session warning, I still experience the behavior that a new session is created and session related applications are disconnected, due to the process of reconnecting.

 

Basically the user session warning popup would not be the problem, as there is the option to keep the old session, but if I do so, the session still gets disconnected on the Pulse Connect Secure. 

 

Thank you.

zanyterp
Moderator

Re: Azure SAML Authentication

no, you cannot prevent re-authentication with session extension. this is a slightly mis-named feature as it re-authenticates the user and resets the session start time…but does so without dropping the tunnel (as long as it is done at least 10 minutes prior to session expiration)
do you see the same alert for an existing session when you are using non-SAML auth?
myPulseSec
New Contributor

Re: Azure SAML Authentication

Thank you for your answer. 

No, when using Active Directory for example I do not get the warning that there is already an existing session for that user. This works as expected. Of course, the user needs to reauthenticate against Active Directory as well when extending the session, but as you have mentioned the tunnel does not get dropped. 

 

The re-authentication in general is ok when extending the session. When using SAML Authentication the user needs to reauthenticate as well. All good so far. However, after successfully authenticating, the Pulse Secure somehow cannot match the existing session, which leads to the mentioned warning message.

rdumitrescu
Occasional Contributor

Re: Azure SAML Authentication

The issue is caused by the User-Agent, and how the SAML auth is handled.

When you use SAML, the authentication is done through browser and after that the session cookie is transferred to the PDC.

During the first authentication you will see:

Login succeeded for "user/realm" from <ip-addr> with Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko.

and then:

Agent login succeeded for "user/realm" (session:xxxxxxx) from <ip-addr> with Pulse-Secure/9.x.x.xxx (Windows 10) Pulse/9.x.x.xxxx.

 

That's not causing any warning, but when you have to extend the session, as you said you have to authenticate again while still having an active session.

When you perform the re-authentication for extend the session, the PCS already has an active session with a different User-Agent, hence the warning.

When using the AD you don't see any warning because the User-Agent is only one.

I don't see any solution for this issue.

Well.. a sort of solution could be enable more than 1 user session at realm level...

DaveG
Contributor

Re: Azure SAML Authentication

Thanks @rdumitrescu , that makes sense. 


I really wish there was a suggestion box feature here, or through mypulse, as this would be a feature I'd love to get working. 

zanyterp
Moderator

Re: Azure SAML Authentication

i know it is not as easy as having it here or through the support portal; but you can reach out to your account team and let them know this is a feature you would like to have added in the future
you can also open a case with our support team for investigation on this as you should not see an issue as long as you are using the embedded browser